ForensicsTools

A list of free and open forensics analysis tools and other resources
https://github.com/mesquidar/ForensicsTools

Last synced: about 6 hours ago
JSON representation

Related Awesome Lists
- Other
Challenges
- Carving
  - photorec - File carving tool
  - bulk_extractor - Extracts informations like email adresses, creditscard numbers and histrograms of disk images
  - bstrings - Improved strings utility
  - swap_digger - A bash script used to automate Linux swap analysis, automating swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, etc.
  - floss - Static analysis tool to automatically deobfuscate strings from malware binaries
- Network Forensics
  - WireShark
  - Xplico
  - NetworkMiner
- Distributions
  - Remnux - Distro for reverse-engineering and analyzing malicious software
  - Santoku Linux - Santoku is dedicated to mobile forensics, analysis, and security, and packaged in an easy to use, Open Source platform.
  - Tsurugi Linux - Linux distribution for forensic analysis
  - WinFE - Windows Forensics enviroment
  - CAINE
  - Sumuri Paladin - Linux distribution that simplifies various forensics tasks in a forensically sound manner via the PALADIN Toolbox
  - GRML-Forensic
  - bitscout - LiveCD/LiveUSB for remote forensic acquisition and analysis
  - SANS Investigative Forensics Toolkit (sift) - Linux distribution for forensic analysis
  - Predator OS - Linux distribution for forensic analysis
  - Predator OS - Linux distribution for forensic analysis
- Acquisition
  - RAM Capturer - by Belkasoft is a free tool to dump the data from a computer’s volatile memory. It’s compatible with Windows OS.
  - DFIR ORC - Forensics artefact collection tool for systems running Microsoft Windows
  - Magnet RAM Capture - is a free imaging tool designed to capture the physical memory
  - DumpIt
  - Velociraptor - Velociraptor is a tool for collecting host based state information using Velocidex Query Language (VQL) queries
  - AVML - A portable volatile memory acquisition tool for Linux
  - LiME - Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, formerly called DMD
  - FastIR Collector - Collect artifacts on windows
  - artifactcollector - A customizable agent to collect forensic artifacts on any Windows, macOS or Linux system
  - ArtifactExtractor - Extract common Windows artifacts from source images and VSCs
  - FireEye Memoryze
  - Fuji - Graphical interface for the forensic logical acquisition of Mac computers
  - UFADE - Extract files from Apple devices on Windows, Linux and MacOS. Mostly a wrapper for pymobiledevice3. Creates iTunes-style backups and "advanced logical backups"
- Frameworks
  - Autopsy - SleuthKit GUI
  - Kuiper - Digital Investigation Platform
  - Laika BOSS - Laika is an object scanner and intrusion detection system
  - IntelMQ - IntelMQ collects and processes security feeds
  - The Sleuth Kit - Tools for low level forensic analysis
  - turbinia - Turbinia is an open-source framework for deploying, managing, and running forensic workloads on cloud platforms
  - PowerForensics - PowerForensics is a framework for live disk forensic analysis
  - dff - Forensic framework
  - dexter - Dexter is a forensics acquisition framework designed to be extensible and secure
  - RegRippy - is a framework for reading and extracting useful forensics data from Windows registry hives.
  - IPED - Indexador e Processador de Evidências Digitais - Brazilian Federal Police Tool for Forensic Investigations
  - Autopsy - SleuthKit GUI
- Windows Artifacts
  - CrowdResponse - by CrowdStrike is a static host data collection tool
  - FRED - Cross-platform microsoft registry hive editor
  - LastActivityView - LastActivityView by Nirsoftis a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer.
  - MFT-Parsers - Comparison of MFT-Parsers
  - Beagle - Transform data sources and logs into graphs
  - LogonTracer - Investigate malicious Windows logon by visualizing and analyzing Windows event log
  - NTFSTool - Complete NTFS forensics tool
  - python-evt - Pure Python parser for classic Windows Event Log files (.evt)
  - RegRipper3.0 - RegRipper is an open source Perl tool for parsing the Registry and presenting it for analysis.
  - MFTExtractor - MFT-Parser
  - NTFS journal parser
  - NTFS USN Journal parser
  - RecuperaBit - Reconstruct and recover NTFS data
  - python-ntfs - NTFS analysis
  - CrowdResponse - by CrowdStrike is a static host data collection tool
  - MFT-Parsers - Comparison of MFT-Parsers
  - NTFS journal parser
- Browser Artifacts
  - ChromeCacheView - by Nirsoft is a small utility that reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache
  - Dumpzilla - extract all forensic interesting information of Firefox, Iceweasel and Seamonkey browsers
  - unfurl - Extract and visualize data from URLs
  - hindsight - Internet history forensics for Google Chrome/Chromium
  - chrome-url-dumper - Dump all local stored infromation collected by Chrome
  - Dumpzilla - extract all forensic interesting information of Firefox, Iceweasel and Seamonkey browsers
- Disk image handling
  - xmount - Convert between different disk image formats
  - OSFMount - allows you to mount local disk image files (bit-for-bit copies of an entire disk or disk partition) in Windows as a physical disk or a logical drive
  - libewf - Libewf is a library and some tools to access the Expert Witness Compression Format (EWF, E01)
  - Disk Arbitrator - A Mac OS X forensic utility designed to help the user ensure correct forensic procedures are followed during imaging of a disk device
  - imagemounter - Command line utility and Python package to ease the (un)mounting of forensic disk images
  - PancakeViewer - Disk image viewer based in dfvfs, similar to the FTK Imager viewer.
- Decryption
  - hashcat - Fast password cracker with GPU support
  - John the Ripper - Password cracker
- Picture Analysis
  - Ghiro - is a fully automated tool designed to run forensics analysis over a massive amount of images
  - sherloq - An open-source digital photographic image forensic toolset
- Metadata Forensics
  - ExifTool
  - Exiv2 - Exiv2 is a Cross-platform C++ library and a command line utility to manage image metadata
  - FOCA - FOCA is a tool used mainly to find metadata and hidden information in the documents
  - Exiv2 - Exiv2 is a Cross-platform C++ library and a command line utility to manage image metadata
- - Blue Team Labs Online
- Imageing
  - Guymager - Open source version for disk imageing on linux systems
  - dc3dd - Improved version of dd
  - BelkaImager - by Belkasoft allows you to create images of hard and removable disks, Android and iOS devices and download data from the cloud.
  - dcfldd - Different improved version of dd (this version has some bugs!, another version is on github [adulau/dcfldd](https://github.com/adulau/dcfldd))
  - FTK Imager - Free imageing tool for windows
- Steganography
  - Stegsolve - analyze images in different planes by taking off bits of the image
  - Binwalk - Binwalk is a fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.
  - Zsteg - A steganographic coder for WAV files
  - Foremost - is a program to recover files based on their headers and footers
  - Steghide - is a steganography program that hides data in various kinds of image and audio files
  - Wavsteg - is a steganography program that hides data in various kinds of image and audio files
  - Stegsolve - analyze images in different planes by taking off bits of the image
  - Steghide - is a steganography program that hides data in various kinds of image and audio files
  - Audacity - an easy-to-use, multi-track audio editor and recorder
- OS X Forensics
  - MAC OSX Artifacts - locations artifacts by mac4n6 group
  - OSXAuditor
  - mac_apt (macOS Artifact Parsing Tool) - Extracts forensic artifacts from disk images or live machines
  - APFS Fuse - is a read-only FUSE driver for the new Apple File System
  - APOLLO
  - MacLocationsScraper - Dump the contents of the location database files on iOS and macOS.
  - macMRUParser - Python script to parse the Most Recently Used (MRU) plist files on macOS into a more human friendly format.
  - OSX Collect
- Live forensics
  - osquery - SQL powered operating system analytics
  - mig - Distributed & real time digital forensics at the speed of the cloud
  - grr - GRR Rapid Response: remote live forensics for incident response
  - Linux Expl0rer - Easy-to-use live forensics toolbox for Linux endpoints written in Python & Flask
- Timeline Analysis
  - timesketch - Collaborative forensic timeline analysis
  - DFTimewolf - Framework for orchestrating forensic collection, processing and data export using GRR and Rekall
  - plaso - Extract timestamps from various files and aggregate them
  - timeliner - A rewrite of mactime, a bodyfile reader
- Docker Forensics
  - Docker Explorer
  - dof (Docker Forensics Toolkit) - Extracts and interprets forensic artifacts from disk images of Docker Host systems
- Mobile Forensics
  - MobSF - is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
  - Andriller - is software utility with a collection of forensic tools for smartphones. It performs read-only, forensically sound, non-destructive acquisition from Android devices
  - ALEAPP - An Android Logs Events and Protobuf Parser
  - iOS Frequent Locations Dumper - Dump the contents of the StateModel#.archive files located in /private/var/mobile/Library/Caches/com.apple.routined/
  - MEAT - Perform different kinds of acquisitions on iOS devices
  - OpenBackupExtractor - is an app for extracting data from iPhone and iPad backups.
- Memory Forensics
  - volatility - The memory forensic framework
  - inVtero.net - High speed memory analysis framework
  - Rekall - Memory Forensic Framework
  - MemProcFS - An easy and convenient way of accessing physical memory as files a virtual file system.
  - KeeFarce - Extract KeePass passwords from memory
  - VolUtility - Web App for Volatility framework
- Management
  - dfirtrack - Digital Forensics and Incident Response Tracking application, track systems
  - Incidents - Web application for organizing non-trivial security investigations. Built on the idea that incidents are trees of tickets, where some tickets are leads
  - dfirtrack - Digital Forensics and Incident Response Tracking application, track systems
- Website Forensics
  - Freezing Internet Tool - Python 3 application for forensic acquisition of online content, including web pages, emails, and social media.
Resources
- Twitter
  - @iamevltwin - Mac Nerd, Forensic Analyst, Author & Instructor of SANS FOR518
  - @4n6ist
  - @aheadless
  - @AppleExaminer - Apple OS X & iOS Digital Forensics
  - @carrier4n6 - Brian Carrier, author of Autopsy and the Sleuth Kit
  - @CindyMurph - Detective & Digital Forensic Examiner
  - @forensikblog - Computer forensic geek
  - @HECFBlog - SANS Certified Instructor
  - @Hexacorn - DFIR+Malware
  - @hiddenillusion
  - @jaredcatkinson - PowerShell Forensics
  - @maridegrazia - Computer Forensics Examiner
  - @sleuthkit
  - @williballenthin
  - @XWaysGuide
  - @blackbagtech
  - @EricRZimmerman - Certified SANS Instructor
  - @iamevltwin - Mac Nerd, Forensic Analyst, Author & Instructor of SANS FOR518
  - @jaredcatkinson - PowerShell Forensics
  - @4n6ist
  - @aheadless
  - @AppleExaminer - Apple OS X & iOS Digital Forensics
  - @blackbagtech
  - @carrier4n6 - Brian Carrier, author of Autopsy and the Sleuth Kit
  - @CindyMurph - Detective & Digital Forensic Examiner
  - @EricRZimmerman - Certified SANS Instructor
  - @forensikblog - Computer forensic geek
  - @HECFBlog - SANS Certified Instructor
  - @Hexacorn - DFIR+Malware
  - @hiddenillusion
  - @maridegrazia - Computer Forensics Examiner
  - @sleuthkit
  - @williballenthin
  - @XWaysGuide
- Blogs
  - Zena Forensics
  - FlashbackData
  - Netresec
  - SANS Forensics Blog
  - roDigitalForensics
  - Cyberforensics
  - Cyberforensicator
  - DigitalForensicsMagazine
  - SANS Forensics Blog
  - SecurityAffairs - blog by Pierluigi Paganini
- Books
  - The Art of Memory Forensics - Detecting Malware and Threats in Windows, Linux, and Mac Memory
  - The Practice of Network Security Monitoring - Understanding Incident Detection and Response
  - Cell Phone Investigations: Search Warrants, Cell Sites and Evidence Recovery - Cell Phone Investigations is the most comprehensive book written on cell phones, cell sites, and cell related data.
  - Recommended Readings
  - Network Forensics: Tracking Hackers through Cyberspace - Learn to recognize hackers’ tracks and uncover network-based evidence
  - The Art of Memory Forensics - Detecting Malware and Threats in Windows, Linux, and Mac Memory
- Webs
- File System Corpora
  - Digital Forensic Challenge Images - Two DFIR challenges with images
  - Digital Forensics Tool Testing Images
  - FAU Open Research Challenge Digital Forensics
  - Digital Forensics Tool Testing Images
  - The CFReDS Project
  - Hacking Case (4.5 GB NTFS Image)
- Other
  - /r/computerforensics/ - Subreddit for computer forensics
  - ForensicControl
  - ForensicPosters - Posters of file system structures
  - HFS+ Resources
  - mac4n6 Presentations - Presentation Archives for OS X and iOS Related Research
  - SANS Digital Forensics Posters - Digital Forensics Posters from SANS
  - SANS WhitePapers - White Papers written by forensic practitioners seeking GCFA, GCFE, and GREM Gold
Tools
- Forensics tools on Wikipedia
- Eric Zimmerman's Tools
Learn forensics
- Website Forensics
  - Forensic challenges - Mindmap of forensic challenges
  - OpenLearn - Digital forensic course
  - Training material - Online training material by European Union Agency for Network and Information Security for different topics (e.g. [Digital forensics](https://www.enisa.europa.eu/topics/trainings-for-cybersecurity-specialists/online-training-material/technical-operational/#digital_forensics), [Network forensics](https://www.enisa.europa.eu/topics/trainings-for-cybersecurity-specialists/online-training-material/technical-operational/#network_forensics))
- Challenges
  - Forensics CTFs
  - MalwareTech Challenges
  - MalwareTraffic Analysis
  - Precision Widgets of North Dakota Intrusion
  - Champlain College DFIR CTF
  - AnalystUnknown Cyber Range
  - Corelight CTF
  - PivotProject
  - IncidentResponse Challenge
  - MemLabs
  - CyberDefenders
  - DefCon CTFs - archive of DEF CON CTF challenges.
  - IncidentResponse Challenge
  - MagnetForensics CTF Challenge
  - NW3C Chanllenges
  - ReverseEngineering Challenges
  - SANS Forensics Challenges
Collections
- dfir.training - Database of forensic resources focused on events, tools and more
- ForensicArtifacts.com Artifact Repository - Machine-readable knowledge base of forensic artifacts
- DFIR-SQL-Query-Repo - Collection of SQL queries templates for digital forensics use by platform and application.
- DFIR – The definitive compendium project - Collection of forensic resources for learning and research. Offers lists of certifications, books, blogs, challenges and more

Programming Languages

Python 40 C++ 8 Go 6 C 5 C# 4 Shell 4 JavaScript 4 Ruby 2 Perl 2 Rust 2

ForensicsTools

Related Awesome Lists

Other

Challenges

Carving

Network Forensics

Distributions

Acquisition

Frameworks

Windows Artifacts

Browser Artifacts

Disk image handling

Decryption

Picture Analysis

Metadata Forensics

Imageing

Steganography

OS X Forensics

Live forensics

Timeline Analysis

Docker Forensics

Mobile Forensics

Memory Forensics

Management

Website Forensics

Resources

Twitter

Blogs

Books

Webs

File System Corpora

Other

Tools

Learn forensics

Website Forensics

Challenges

Collections