IR Tools Collection

• All-In-One Tools

  • Belkasoft Evidence Center - The toolkit will quickly extract digital evidence from multiple sources by analyzing hard drives, drive images, memory dumps, iOS, Blackberry and Android backups, UFED, JTAG and chip-off dumps.
  • CIRTkit - CIRTKit is not just a collection of tools, but also a framework to aid in the ongoing unification of Incident Response and Forensics investigation processes.
  • Cyber Triage - Cyber Triage remotely collects and analyzes endpoint data to help determine if it is compromised. It’s agentless approach and focus on ease of use and automation allows companies to respond without major infrastructure changes and without a team of forensics experts. Its results are used to decide if the system should be erased or investigated further.
  • Flare - A fully customizable, Windows-based security distribution for malware analysis, incident response, penetration testing.
  • Limacharlie - Endpoint security platform composed of a collection of small projects all working together that gives you a cross-platform (Windows, OSX, Linux, Android and iOS) low-level environment for managing and pushing additional modules into memory to extend its functionality.
  • Open Computer Forensics Architecture - Another popular distributed open-source computer forensics framework. This framework was built on Linux platform and uses postgreSQL database for storing data.
  • osquery - Easily ask questions about your Linux and macOS infrastructure using a SQL-like query language; the provided *incident-response pack* helps you detect and respond to breaches.
  • Redline - Provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile.
  • The Sleuth Kit & Autopsy - Unix and Windows based tool which helps in forensic analysis of computers. It comes with various tools which helps in digital forensics. These tools help in analyzing disk images, performing in-depth analysis of file systems, and various other things.
  • TheHive - Scalable 3-in-1 open source and free solution designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.
  • X-Ways Forensics - Forensics tool for Disk cloning and imaging. It can be used to find deleted files and disk analysis.
  • CimSweep - Suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows.
  • CIRTkit - CIRTKit is not just a collection of tools, but also a framework to aid in the ongoing unification of Incident Response and Forensics investigation processes.
  • Dissect - Dissect is a digital forensics & incident response framework and toolset that allows you to quickly access and analyse forensic artefacts from various disk and file formats, developed by Fox-IT (part of NCC Group).
  • Doorman - osquery fleet manager that allows remote management of osquery configurations retrieved by nodes. It takes advantage of osquery's TLS configuration, logger, and distributed read/write endpoints, to give administrators visibility across a fleet of devices with minimal overhead and intrusiveness.
  • Falcon Orchestrator - Extendable Windows-based application that provides workflow automation, case management and security response functionality.
  • Flare - A fully customizable, Windows-based security distribution for malware analysis, incident response, penetration testing.
  • Fleetdm - State of the art host monitoring platform tailored for security experts. Leveraging Facebook's battle-tested osquery project, Fleetdm delivers continuous updates, features and fast answers to big questions.
  • GRR Rapid Response - Incident response framework focused on remote live forensics. It consists of a python agent (client) that is installed on target systems, and a python server infrastructure that can manage and talk to the agent. Besides the included Python API client, [PowerGRR](https://github.com/swisscom/PowerGRR) provides an API client library in PowerShell working on Windows, Linux and macOS for GRR automation and scripting.
  • IRIS - IRIS is a web collaborative platform for incident response analysts allowing to share investigations at a technical level.
  • Kuiper - Digital Forensics Investigation Platform
  • Matano
  • MozDef - Automates the security incident handling process and facilitate the real-time activities of incident handlers.
  • MutableSecurity - CLI program for automating the setup, configuration, and use of cybersecurity solutions.
  • nightHawk - Application built for asynchronous forensic data presentation using ElasticSearch as the backend. It's designed to ingest Redline collections.
  • SOC Multi-tool - A powerful and user-friendly browser extension that streamlines investigations for security professionals.
  • Velociraptor - Endpoint visibility and collection tool

• Books

  • Applied Incident Response - Steve Anson's book on Incident Response.
  • Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan - by Jeff Bollinger, Brandon Enright and Matthew Valites.
  • Digital Forensics and Incident Response: Incident response techniques and procedures to respond to modern cyber threats - by Gerard Johansen.
  • Introduction to DFIR - By Scott J. Roberts.
  • Incident Response & Computer Forensics, Third Edition - The definitive guide to incident response.
  • Incident Response Techniques for Ransomware Attacks - A great guide to build an incident response strategy for ransomware attacks. By Oleg Skulkin.
  • Incident Response with Threat Intelligence - Great reference to build an incident response plan based also on Threat Intelligence. By Roberto Martinez.
  • Intelligence-Driven Incident Response - By Scott J. Roberts, Rebekah Brown.
  • Operator Handbook: Red Team + OSINT + Blue Team Reference - Great reference for incident responders.
  • Practical Memory Forensics - The definitive guide to practice memory forensics. By Svetlana Ostrovskaya and Oleg Skulkin.
  • The Practice of Network Security Monitoring: Understanding Incident Detection and Response - Richard Bejtlich's book on IR.
  • Operator Handbook: Red Team + OSINT + Blue Team Reference - Great reference for incident responders.
  • The Practice of Network Security Monitoring: Understanding Incident Detection and Response - Richard Bejtlich's book on IR.

• Communities

  • Digital Forensics Discord Server - Community of 8,000+ working professionals from Law Enforcement, Private Sector, and Forensic Vendors. Additionally, plenty of students and hobbyists! Guide [here](https://aboutdfir.com/a-beginners-guide-to-the-digital-forensics-discord-server/).
  • Slack DFIR channel - Slack DFIR Communitiy channel - [Signup here](https://start.paloaltonetworks.com/join-our-slack-community).

• Disk Image Creation Tools

  • AccessData FTK Imager - Forensics tool whose main purpose is to preview recoverable data from a disk of any kind. FTK Imager can also acquire live memory and paging file on 32bit and 64bit systems.
  • GetData Forensic Imager - Windows based program that will acquire, convert, or verify a forensic image in one of the following common forensic file formats.
  • Guymager - Free forensic imager for media acquisition on Linux.
  • Magnet ACQUIRE - ACQUIRE by Magnet Forensics allows various types of disk acquisitions to be performed on Windows, Linux, and OS X as well as mobile operating systems.

• Evidence Collection

  • Cold Disk Quick Response - Streamlined list of parsers to quickly analyze a forensic image file (`dd`, E01, `.vmdk`, etc) and output nine reports.
  • Live Response Collection - Automated tool that collects volatile data from Windows, OSX, and \*nix based operating systems.
  • Live Response Collection - Automated tool that collects volatile data from Windows, OSX, and \*nix based operating systems.

• Incident Management

  • CyberCPR - Community and commercial incident management tool with Need-to-Know built in to support GDPR compliance while handling sensitive incidents.
  • CORTEX XSOAR - Paloalto security orchestration, automation and response platform with full Incident lifecycle management and many integrations to enhance automations.
  • RTIR - Request Tracker for Incident Response (RTIR) is the premier open source incident handling system targeted for computer security teams. We worked with over a dozen CERT and CSIRT teams around the world to help you handle the ever-increasing volume of incident reports. RTIR builds on all the features of Request Tracker.
  • Shuffle - A general purpose security automation platform focused on accessibility.
  • Zenduty - Zenduty is a novel incident management platform providing end-to-end incident alerting, on-call management and response orchestration, giving teams greater control and automation over the incident management lifecycle.
  • RTIR - Request Tracker for Incident Response (RTIR) is the premier open source incident handling system targeted for computer security teams. We worked with over a dozen CERT and CSIRT teams around the world to help you handle the ever-increasing volume of incident reports. RTIR builds on all the features of Request Tracker.
  • Cyphon - Cyphon eliminates the headaches of incident management by streamlining a multitude of related tasks through a single platform. It receives, processes and triages events to provide an all-encompassing solution for your analytic workflow — aggregating data, bundling and prioritizing alerts, and empowering analysts to investigate and document incidents.

• Linux Distributions

  • The Appliance for Digital Investigation and Analysis (ADIA) - VMware-based appliance used for digital investigation and acquisition and is built entirely from public domain software. Among the tools contained in ADIA are Autopsy, the Sleuth Kit, the Digital Forensics Framework, log2timeline, Xplico, and Wireshark. Most of the system maintenance uses Webmin. It is designed for small-to-medium sized digital investigations and acquisitions. The appliance runs under Linux, Windows, and Mac OS. Both i386 (32-bit) and x86_64 (64-bit) versions are available.
  • Computer Aided Investigative Environment (CAINE) - Contains numerous tools that help investigators during their analysis, including forensic evidence collection.
  • CCF-VM - CyLR CDQR Forensics Virtual Machine (CCF-VM): An all-in-one solution to parsing collected data, making it easily searchable with built-in common searches, enable searching of single and multiple hosts simultaneously.
  • NST - Network Security Toolkit - Linux distribution that includes a vast collection of best-of-breed open source network security applications useful to the network security professional.
  • PALADIN - Modified Linux distribution to perform various forensics task in a forensically sound manner. It comes with many open source forensics tools included.
  • SANS Investigative Forensic Toolkit (SIFT) Workstation - Demonstrates that advanced incident response capabilities and deep dive digital forensic techniques to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.

• Log Analysis Tools

  • Event Log Explorer - Tool developed to quickly analyze log files and other data.
  • Event Log Observer - View, analyze and monitor events recorded in Microsoft Windows event logs with this GUI tool.
  • Kaspersky CyberTrace - Threat intelligence fusion and analysis tool that integrates threat data feeds with SIEM solutions. Users can immediately leverage threat intelligence for security monitoring and incident report (IR) activities in the workflow of their existing security operations.
  • Log Parser Lizard - Execute SQL queries against structured log data: server logs, Windows Events, file system, Active Directory, log4net logs, comma/tab separated text, XML or JSON files. Also provides a GUI to Microsoft LogParser 2.2 with powerful UI elements: syntax editor, data grid, chart, pivot table, dashboard, query manager and more.
  • Lorg - Tool for advanced HTTPD logfile security analysis and forensics.

• Memory Analysis Tools

  • Memoryze for Mac - Memoryze for Mac is Memoryze but then for Macs. A lower number of features, however.
  • Orochi - Orochi is an open source framework for collaborative forensic memory dump analysis.
  • Rekall - Open source tool (and library) for the extraction of digital artifacts from volatile memory (RAM) samples.
  • Responder PRO - Responder PRO is the industry standard physical memory and automated malware analysis solution.
  • WindowsSCOPE - Memory forensics and reverse engineering tool used for analyzing volatile memory offering the capability of analyzing the Windows kernel, drivers, DLLs, and virtual and physical memory.
  • Responder PRO - Responder PRO is the industry standard physical memory and automated malware analysis solution.
  • Rekall - Open source tool (and library) for the extraction of digital artifacts from volatile memory (RAM) samples.

• Memory Imaging Tools

  • Belkasoft Live RAM Capturer - Tiny free forensic tool to reliably extract the entire content of the computer’s volatile memory – even if protected by an active anti-debugging or anti-dumping system.
  • MAGNET DumpIt - Fast memory acquisition tool for Windows (x86, x64, ARM64). Generate full memory crash dumps of Windows machines.
  • Magnet RAM Capture - Free imaging tool designed to capture the physical memory of a suspect’s computer. Supports recent versions of Windows.
  • OSForensics - Tool to acquire live memory on 32-bit and 64-bit systems. A dump of an individual process’s memory space or physical memory dump can be done.
  • Magnet RAM Capture - Free imaging tool designed to capture the physical memory of a suspect’s computer. Supports recent versions of Windows.

• OSX Evidence Collection

  • Knockknock - Displays persistent items(scripts, commands, binaries, etc.) that are set to execute automatically on OSX.
  • The ESF Playground - A tool to view the events in Apple Endpoint Security Framework (ESF) in real time.

• Other Lists

  • Eric Zimmerman Tools - An updated list of forensic tools created by Eric Zimmerman, an instructor for SANS institute.
  • List of various Security APIs - Collective list of public JSON APIs for use in security.

• Other Tools

  • Cortex - Cortex allows you to analyze observables such as IP and email addresses, URLs, domain names, files or hashes one by one or in bulk mode using a Web interface. Analysts can also automate these operations using its REST API.
  • Crits - Web-based tool which combines an analytic engine with a cyber threat database.
  • Stalk - Collect forensic data about MySQL when problems occur.
  • X-Ray 2.0 - Windows utility (poorly maintained or no longer maintained) to submit virus samples to AV vendors.
  • Cortex - Cortex allows you to analyze observables such as IP and email addresses, URLs, domain names, files or hashes one by one or in bulk mode using a Web interface. Analysts can also automate these operations using its REST API.

• Sandboxing/Reversing Tools

  • Virustotal - Free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners.
  • Yomi - Free MultiSandbox managed and hosted by Yoroi.
  • Any Run - Interactive online malware analysis service for dynamic and static research of most types of threats using any environment.
  • Hybrid-Analysis - Free powerful online sandbox by CrowdStrike.
  • Intezer - Intezer Analyze dives into Windows binaries to detect micro-code similarities to known threats, in order to provide accurate yet easy-to-understand results.
  • Joe Sandbox (Community) - Joe Sandbox detects and analyzes potential malicious files and URLs on Windows, Android, Mac OS, Linux, and iOS for suspicious activities; providing comprehensive and detailed analysis reports.
  • Metadefender Cloud - Free threat intelligence platform providing multiscanning, data sanitization and vulnerability assessment of files.
  • Reverse.IT - Alternative domain for the Hybrid-Analysis tool provided by CrowdStrike.
  • StringSifter - A machine learning tool that ranks strings based on their relevance for malware analysis.
  • Threat.Zone - Cloud based threat analysis platform which include sandbox, CDR and interactive analysis for researchers.
  • Valkyrie Comodo - Valkyrie uses run-time behavior and hundreds of features from a file to perform analysis.

• Playbooks

  • AWS Incident Response Runbook Samples - AWS IR Runbook Samples meant to be customized per each entity using them. The three samples are: "DoS or DDoS attack", "credential leakage", and "unintended access to an Amazon S3 bucket".
  • Counteractive Playbooks - Counteractive PLaybooks collection.
  • PagerDuty Incident Response Documentation - Documents that describe parts of the PagerDuty Incident Response process. It provides information not only on preparing for an incident, but also what to do during and after. Source is available on [GitHub](https://github.com/PagerDuty/incident-response-docs).

• Process Dump Tools

  • Microsoft ProcDump - Dumps any running Win32 processes memory image on the fly.
  • PMDump - Tool that lets you dump the memory contents of a process to a file without stopping the process.
  • PMDump - Tool that lets you dump the memory contents of a process to a file without stopping the process.

• Timeline Tools

  • Highlighter - Free Tool available from Fire/Mandiant that will depict log/text file that can highlight areas on the graphic, that corresponded to a key word or phrase. Good for time lining an infection and what was done post compromise.

• Videos

  • The Future of Incident Response - Presented by Bruce Schneier at OWASP AppSecUSA 2015.

• Windows Evidence Collection

  • Crowd Response - Lightweight Windows console application designed to aid in the gathering of system information for incident response and security engagements. It features numerous modules and output formats.
  • DFIR ORC - DFIR ORC is a collection of specialized tools dedicated to reliably parse and collect critical artifacts such as the MFT, registry hives or event logs. DFIR ORC collects data, but does not analyze it: it is not meant to triage machines. It provides a forensically relevant snapshot of machines running Microsoft Windows. The code can be found on [GitHub](https://github.com/DFIR-ORC/dfir-orc).
  • IREC - All-in-one IR Evidence Collector which captures RAM Image, $MFT, EventLogs, WMI Scripts, Registry Hives, System Restore Points and much more. It is FREE, lightning fast and easy to use.
  • IOC Finder - Free tool from Mandiant for collecting host system data and reporting the presence of Indicators of Compromise (IOCs). Support for Windows only. No longer maintained. Only fully supported up to Windows 7 / Windows Server 2008 R2.
  • KAPE - Kroll Artifact Parser and Extractor (KAPE) by Eric Zimmerman. A triage tool that finds the most prevalent digital artifacts and then parses them quickly. Great and thorough when time is of the essence.

• Adversary Emulation

  • APTSimulator - Windows Batch script that uses a set of tools and output files to make a system look as if it was compromised.
  • Atomic Red Team (ART) - Small and highly portable detection tests mapped to the MITRE ATT&CK Framework.
  • AutoTTP - Automated Tactics Techniques & Procedures. Re-running complex sequences manually for regression tests, product evaluations, generate data for researchers.
  • Caldera - Automated adversary emulation system that performs post-compromise adversarial behavior within Windows Enterprise networks. It generates plans during operation using a planning system and a pre-configured adversary model based on the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK™) project.
  • DumpsterFire - Modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events. Easily create custom event chains for Blue Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations.
  • Metta - Information security preparedness tool to do adversarial simulation.
  • Network Flight Simulator - Lightweight utility used to generate malicious network traffic and help security teams to evaluate security controls and network visibility.
  • Red Team Automation (RTA) - RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK.
  • RedHunt-OS - Virtual machine for adversary emulation and threat hunting.