https://github.com/alphaSeclab/awesome-forensics

Awesome Forensics Resources. Almost 300 open source forensics tools, and 600 blog posts about forensics.
https://github.com/alphaSeclab/awesome-forensics

List: awesome-forensics

anti-forensics forensics

Last synced: about 1 year ago
JSON representation

Awesome Forensics Resources. Almost 300 open source forensics tools, and 600 blog posts about forensics.

• Host: GitHub
• URL: https://github.com/alphaSeclab/awesome-forensics
• Owner: alphaSeclab
• Created: 2019-12-30T07:49:15.000Z (over 6 years ago)
• Default Branch: master
• Last Pushed: 2019-12-31T06:54:48.000Z (over 6 years ago)
• Last Synced: 2025-05-07T21:01:51.417Z (about 1 year ago)
• Topics: anti-forensics, forensics
• Size: 76.2 KB
• Stars: 633
• Watchers: 34
• Forks: 115
• Open Issues: 2
• Metadata Files:
  • Readme: Readme.md
  • Changelog: history/Forensics_20191230154624.json

Awesome Lists containing this project

• awesome-honeypot - 取证相关工具和文章: awesome-forensics
• ultimate-awesome - awesome-forensics - Awesome Forensics Resources. Almost 300 open source forensics tools, and 600 blog posts about forensics. (Other Lists / TeX Lists)
• awesome-reverse-engineering - 取证相关工具和文章: awesome-forensics
• awesome-security-collection - 取证相关工具和文章
• awesome-hacking-lists - alphaSeclab/awesome-forensics - Awesome Forensics Resources. Almost 300 open source forensics tools, and 600 blog posts about forensics. (Others)

README

          
# 所有收集类项目:

- [收集的所有开源工具: sec-tool-list](https://github.com/alphaSeclab/sec-tool-list): 超过18K, 包括Markdown和Json两种格式

- [逆向资源: awesome-reverse-engineering](https://github.com/alphaSeclab/awesome-reverse-engineering): IDA/Ghidra/x64dbg/OllDbg/WinDBG/CuckooSandbox/Radare2/BinaryNinja/DynamoRIO/IntelPin/Frida/QEMU/Android安全/iOS安全/Window安全/Linux安全/macOS安全/游戏Hacking/Bootkit/Rootkit/Angr/Shellcode/进程注入/代码注入/DLL注入/WSL/Sysmon/...

- [网络相关的安全资源: awesome-network-stuff](https://github.com/alphaSeclab/awesome-network-stuff): 代理/GFW/反向代理/隧道/VPN/Tor/I2P，以及中间人/PortKnocking/嗅探/网络分析/网络诊断等

- [攻击性网络安全资源: awesome-cyber-security](https://github.com/alphaSeclab/awesome-cyber-security): 漏洞/渗透/物联网安全/数据渗透/Metasploit/BurpSuite/KaliLinux/C&C/OWASP/免杀/CobaltStrike/侦查/OSINT/社工/密码/凭证/威胁狩猎/Payload/WifiHacking/无线攻击/后渗透/提权/UAC绕过/...

- [开源远控和恶意远控分析报告: awesome-rat](https://github.com/alphaSeclab/awesome-rat): 开源远控工具: Windows/Linux/macOS/Android; 远控类恶意恶意代码的分析报告等

- [Webshell工具和分析/使用文章: awesome-webshell](https://github.com/alphaSeclab/awesome-webshell): Webshell资源收集, 包括150个Github项目, 200个左右文章

- [取证相关工具和文章: awesome-forensics](https://github.com/alphaSeclab/awesome-forensics): 近300个取开源证工具，近600与取证相关文章

# Forensics

- [English Version](https://github.com/alphaSeclab/awesome-forensics/blob/master/Readme_en.md)

# 目录

- [工具](#d4e014cbc478d3e5625e6ca1622781d3)

    - [(157) 新添加](#ecb63dfb62722feb6d43a9506515b4e3)

    - [(3) LinuxDistro](#bd653a0f2c8ff4aab78bb2be2257362b)

    - [(9) 资源收集](#601dcc03dc2254612e1b88816ae2b820)

    - [(74) Volatility](#4d2a33083a894d6e6ef01b360929f30a)

    - [(5) Sleuthkit](#8159418f807637a0d70406803a3c08c5)

    - [(4) Rekall](#0b1db12ec509cd6fb489c93a4cc837d5)

    - [(3) bulk_extractor](#0d23b542d7b0b1069a91f6c500009c3a)

    - [(9) 反取证](#bd015dd7245b420dca75a267133ddce3)

    - [(7) macOS](#9c0413531a5b5afd12b89ccdc744afbd)

    - [(2) iOS](#a93df189246db405e8182a42d3f7e553)

    - [(8) Linux](#505d67a56d03c921dd19737c28c3d8fc)

- [文章](#c81ed9f7fec66ce81b864962ed4ea9c7)

    - [(399) 新添加](#fbccbf27fb92d876bdfb1626e4e0e86c)

    - [(150) Volatility](#bc6550163d1995f3ce6323404e2cec28)

    - [(4) Sleuthkit](#c529f60a5b6f420255ae79843446a145)

    - [(13) Rekall](#b6797fda3a16667cd5726ef4aa86b0e1)

# 文章

***

## 新添加

- 2019.12 [sans] [HSTS For Forensics: You Can Run, But You Can't Use HTTP](https://digital-forensics.sans.org/blog/2019/12/17/hsts-for-forensics-you-can-run-but-you-cant-use-http)

- 2019.12 [eforensicsmag] [6 Threat Intelligence Sources That Will Help Enhance Digital Forensics Readiness | By Jonathan Zhang](https://eforensicsmag.com/6-threat-intelligence-sources-that-will-help-enhance-digital-forensics-readiness-by-jonathan-zhang/)

- 2019.12 [mac4n6] [New(ish) Presentation: Poking the Bear - Teasing out Apple's Secrets through Dynamic Forensic Testing and Analysis](https://www.mac4n6.com/blog/2019/12/10/newish-presentation-poking-the-bear-teasing-out-apples-secrets-through-dynamic-forensic-testing-and-analysis)

- 2019.12 [4hou] [移动设备数字取证过程概述（下）](https://www.4hou.com/tools/22000.html)

- 2019.12 [4hou] [移动设备数字取证过程概述（上）](https://www.4hou.com/system/21685.html)

- 2019.11 [freebuf] [DFIRTriage：针对Windows的事件应急响应数字取证工具](https://www.freebuf.com/articles/system/220240.html)

- 2019.11 [freebuf] [Windows系统安全事件日志取证工具：LogonTracer](https://www.freebuf.com/sectool/219786.html)

- 2019.11 [compass] [Challenging Your Forensic Readiness with an Application-Level Ransomware Attack](https://blog.compass-security.com/2019/11/challenging-your-forensic-readiness-with-an-application-level-ransomware-attack/)

- 2019.11 [freebuf] [AutoMacTC：一款针对macOS环境的自动化取证分类采集器](https://www.freebuf.com/sectool/218812.html)

- 2019.11 [eforensicsmag] [CRYPTO & DATA ERASURE: After forensic analysis drives should be securely wiped | By Paul Katzoff](https://eforensicsmag.com/crypto-data-erasure-after-forensic-analysis-drives-should-be-securely-wiped-by-paul-katzoff/)

- 2019.10 [eforensicsmag] [Encrypted file system forensics - Introduction (EXT4) [FREE COURSE CONTENT]](https://eforensicsmag.com/encrypted-file-system-forensics-introduction-ext4/)

- 2019.10 [4hou] [iPhone取证的通用方法](https://www.4hou.com/web/21192.html)

- 2019.10 [Cooper] [Beyond Windows Forensics With Built-in Microsoft Tooling - Thomas Fischer](https://www.youtube.com/watch?v=_hSuoNAfOSE)

- 2019.10 [Cooper] [Memory Forensics Analysis Of Cisco IOS XR 32 Bits Routers With 'Amnesic-Sherpa' - Solal Jacob](https://www.youtube.com/watch?v=ukZnBh6r8Q8)

- 2019.10 [4hou] [如何在Windows上重现macOS上的取证技巧](https://www.4hou.com/web/20530.html)

- 2019.10 [HackersOnBoard] [Lessons from Virginia - A Comparative Forensic Analysis of WinVote Voting Machine](https://www.youtube.com/watch?v=1z7z853__5E)

- 2019.10 [HackersOnBoard] [Black Hat USA 2016 Memory Forensics Using Virtual Machine Introspection for Cloud Computing](https://www.youtube.com/watch?v=NNbiZD15NFA)

- 2019.10 [elcomsoft] [Installing and using iOS Forensic Toolkit on macOS 10.15 Catalina](https://blog.elcomsoft.com/2019/10/installing-and-using-ios-forensic-toolkit-on-macos-catalina/)

- 2019.09 [mac4n6] [Just Call Me Buffy the Proto Slayer – An Initial Look into Protobuf Data in Mac and iOS Forensics](https://www.mac4n6.com/blog/2019/9/27/just-call-me-buffy-the-proto-slayer-an-initial-look-into-protobuf-data-in-mac-and-ios-forensics)

- 2019.09 [venus] [RDP 登录日志取证与清除](https://paper.seebug.org/1043/)

- 2019.09 [freebuf] [Usbrip：用于跟踪USB设备固件的简单CLI取证工具](https://www.freebuf.com/sectool/210305.html)

- 2019.09 [PositiveTechnologies] [Forensics: why there are no perfect crimes](https://www.youtube.com/watch?v=NgjUi7dSEsg)

- 2019.09 [sans] [Strengthen Your Investigatory Powers by Taking the New FOR498: Battlefield Forensics & Data Acquisition Course from SANS](https://digital-forensics.sans.org/blog/2019/09/16/strengthen-your-investigatory-powers-for498)

- 2019.09 [4hou] [什么是数字取证(Digital forensics)？ 如何在这个热门领域站稳脚跟？](https://www.4hou.com/info/news/20249.html)

- 2019.09 [4hou] [使用osquery进行远程取证](https://www.4hou.com/web/18369.html)

- 2019.09 [elcomsoft] [Apple TV Forensics 03: Analysis](https://blog.elcomsoft.com/2019/09/apple-tv-forensics-03-analysis/)

- 2019.09 [securelayer7] [CAN Bus protocol Penetration testing and forensics](https://blog.securelayer7.net/can-bus-protocol-penetration-testing-and-forensics/)

- 2019.09 [hackers] [Network Forensics, Part 3: tcpdump for Network Analysis](https://www.hackers-arise.com/single-post/2019/09/03/Network-Forensics-Part-3-tcpdump-for-Network-Analysis)

- 2019.09 [freebuf] [浅谈电子数字取证技术](https://www.freebuf.com/articles/network/211643.html)

- 2019.09 [diablohorn] [Notes on ZFS / Solaris forensics](https://diablohorn.com/2019/09/01/notes-on-zfs-solaris-forensics/)

- 2019.08 [THER] [[tool] Network Forensics with Tshark](https://www.youtube.com/watch?v=BETB___XKs0)

- 2019.08 [elcomsoft] [Passcode vs. Biometrics: Forensic Implications of Touch ID and Face ID in iOS 12](https://blog.elcomsoft.com/2019/08/passcode-vs-biometrics-forensic-implications-of-touch-id-and-face-id-in-ios-12/)

- 2019.08 [hackers] [Digital Forensics, Part 11: Recovering Stored Passwords from the Browser](https://www.hackers-arise.com/single-post/2019/08/27/Digital-Forensics-Part-11-Recovering-Stored-Passwords-from-the-Browser)

- 2019.08 [freebuf] [MIG：一款功能强大的高速分布式实时数据取证工具](https://www.freebuf.com/sectool/208933.html)

- 2019.08 [freebuf] [用于监控USB设备连接事件的取证工具](https://www.freebuf.com/sectool/210862.html)

- 2019.08 [0x00sec] [CAN-bus protocol pentesting and forensics](https://0x00sec.org/t/can-bus-protocol-pentesting-and-forensics/15689)

- 2019.08 [4hou] [有没有想过一个问题，适用于移动设备的取证方法能否照搬到台式计算机上？](https://www.4hou.com/web/19641.html)

- 2019.08 [mac4n6] [New Presentation from SANS DFIR Summit 2019 - They See Us Rollin', They Hatin' - Forensics of iOS CarPlay and Android Auto](https://www.mac4n6.com/blog/2019/8/6/new-presentation-from-sans-dfir-summit-2019-they-see-us-rollin-they-hatin-forensics-of-ios-carplay-and-android-auto)

- 2019.08 [X13Cubed] [NTFS Journal Forensics](https://www.youtube.com/watch?v=1mwiShxREm8)

- 2019.08 [MastersInEthicalHacking] [Computer Forensic Tutorials || Install Dumpzilla on Kali Linux](https://www.youtube.com/watch?v=fc8oZcTtidw)

- 2019.07 [elcomsoft] [Extended Mobile Forensics: Analyzing Desktop Computers](https://blog.elcomsoft.com/2019/07/extended-mobile-forensics-analyzing-desktop-computers/)

- 2019.07 [eforensicsmag] [Mounting forensic images using losetup cli [FREE COURSE CONTENT]](https://eforensicsmag.com/mounting-forensic-images-using-losetup-cli-free-course-content/)

- 2019.07 [elcomsoft] [iOS 13 (Beta) Forensics](https://blog.elcomsoft.com/2019/07/ios-13-beta-forensics/)

- 2019.07 [infosecinstitute] [Getting started in digital forensics](https://resources.infosecinstitute.com/podcast-getting-started-in-digital-forensics/)

- 2019.07 [4hou] [iOS越狱和物理取证指南](https://www.4hou.com/reverse/18468.html)

- 2019.07 [4hou] [对Apple Watch的取证分析（续）](https://www.4hou.com/web/18879.html)

- 2019.07 [eforensicsmag] [Case Study: Extracting And Analyzing Messenger Data With Oxygen Forensic Detective | By Nikola Novak](https://eforensicsmag.com/case-study-extracting-and-analyzing-messenger-data-with-oxygen-forensic-detective-by-nikola-novak/)

- 2019.07 [andreafortuna] [How to convert a Windows SFS (Dynamic Disks) partition to regular partition for forensic analysis](https://www.andreafortuna.org/2019/07/04/how-to-convert-a-windows-sfs-dynamic-disks-partition-to-regular-partition-for-forensic-analysis/)

- 2019.07 [4hou] [Apple TV和Apple Watch的取证分析](https://www.4hou.com/web/18830.html)

- 2019.07 [arxiv] [[1907.01421] Methodology for the Automated Metadata-Based Classification of Incriminating Digital Forensic Artefacts](https://arxiv.org/abs/1907.01421)

- 2019.06 [arxiv] [[1907.00074] Forensic Analysis of Third Party Location Applications in Android and iOS](https://arxiv.org/abs/1907.00074)

- 2019.06 [elcomsoft] [Apple Watch Forensics 02: Analysis](https://blog.elcomsoft.com/2019/06/apple-watch-forensics-02-analysis/)

- 2019.06 [hackers] [Network Forensics, Part 2: Packet-Level Analysis of the NSA's  EternalBlue Exploit](https://www.hackers-arise.com/single-post/2018/11/30/Network-Forensics-Part-2-Packet-Level-Analysis-of-the-EternalBlue-Exploit)

- 2019.06 [elcomsoft] [Apple TV and Apple Watch Forensics 01: Acquisition](https://blog.elcomsoft.com/2019/06/apple-tv-and-apple-watch-forensics-01-acquisition/)

- 2019.06 [eforensicsmag] [Forensic Analysis of OpenVPN on iOS | By Jack Farley](https://eforensicsmag.com/forensic-analysis-of-openvpn-on-ios-by-jack-farley/)

- 2019.06 [mac4n6] [New Presentation from MacDevOpsYVR 2019 - Launching APOLLO: Creating a Simple Tool for Advanced Forensic Analysis](https://www.mac4n6.com/blog/2019/6/17/new-presentation-from-macdevopsyvr-2019-launching-apollo-creating-a-simple-tool-for-advanced-forensic-analysis)

- 2019.06 [eforensicsmag] [Forensic Acquisitions over Netcat | By Ali Hadi](https://eforensicsmag.com/forensic-acquisitions-over-netcat-by-ali-hadi/)

- 2019.06 [arxiv] [[1906.10625] Antiforensic techniques deployed by custom developed malware in evading anti-virus detection](https://arxiv.org/abs/1906.10625)

- 2019.06 [h2hconference] [Memory anti-anti-forensics in a nutshell - Fuschini & Rodrigues - H2HC 2013](https://www.youtube.com/watch?v=BdSwrhyjfMA)

- 2019.06 [elcomsoft] [Forensic Implications of iOS Jailbreaking](https://blog.elcomsoft.com/2019/06/forensic-implications-of-ios-jailbreaking/)

- 2019.06 [arxiv] [[1906.05268] Differential Imaging Forensics](https://arxiv.org/abs/1906.05268)

- 2019.06 [eforensicsmag] [My Digital Forensic Career Pathway | By Patrick Doody](https://eforensicsmag.com/my-digital-forensic-career-pathway-by-patrick-doody/)

- 2019.05 [trailofbits] [Using osquery for remote forensics](https://blog.trailofbits.com/2019/05/31/using-osquery-for-remote-forensics/)

- 2019.05 [freebuf] [CyberScan：用于数据包取证的渗透工具](https://www.freebuf.com/sectool/203306.html)

- 2019.05 [HackEXPlorer] [Digital Photo Forensics: How To analyze Fake Photos](https://www.youtube.com/watch?v=G1Y0UTMTF7o)

- 2019.05 [eforensicsmag] ["Most people neglect scrutinizing the basics" - Interview with Divya Lakshmanan, eForensics Instructor](https://eforensicsmag.com/most-people-neglect-scrutinizing-the-basics-interview-with-divya-lakshmanan-eforensics-instructor/)

- 2019.05 [andreafortuna] [How to read Windows Hibernation file (hiberfil.sys) to extract forensic data?](https://www.andreafortuna.org/2019/05/15/how-to-read-windows-hibernation-file-hiberfil-sys-to-extract-forensic-data/)

- 2019.05 [MastersInEthicalHacking] [Computer Memory Forensic Tutorial](https://www.youtube.com/watch?v=H_FL4n84LI0)

- 2019.05 [360] [2019 虎鲸杯电子取证大赛赛后复盘总结](https://www.anquanke.com/post/id/177714/)

- 2019.05 [eforensicsmag] [BLAZESCAN – digital forensic open source tool | By Brian Laskowski](https://eforensicsmag.com/blazescan-digital-forensic-open-source-tool-by-brian-laskowski/)

- 2019.04 [X13Cubed] [Free Tools From Magnet Forensics](https://www.youtube.com/watch?v=nTaYglAhbTU)

- 2019.04 [4hou] [利用LeechAgent对远程物理内存进行取证分析](https://www.4hou.com/technology/17336.html)

- 2019.04 [freebuf] [Imago-Forensics：Python实现的图像数字取证工具](https://www.freebuf.com/sectool/200845.html)

- 2019.04 [andreafortuna] [How to extract forensic artifacts from pagefile.sys?](https://www.andreafortuna.org/2019/04/17/how-to-extract-forensic-artifacts-from-pagefile-sys/)

- 2019.04 [scrtinsomnihack] [Dear Blue Team: Forensics Advice to Supercharge your DFIR capabilities by Joe Gray (@c_3pjoe)](https://www.youtube.com/watch?v=HEsCSba92XA)

- 2019.04 [eforensicsmag] [Instagram Forensics -Windows App Store | By Justin Boncaldo](https://eforensicsmag.com/instagram-forensics-windows-app-store-by-justin-boncaldo/)

- 2019.04 [arxiv] [[1904.01725] Using Google Analytics to Support Cybersecurity Forensics](https://arxiv.org/abs/1904.01725)

- 2019.03 [aliyun] [Compromised Server--取证挑战](https://xz.aliyun.com/t/4523)

- 2019.03 [4hou] [Windows注册表取证分析](https://www.4hou.com/info/news/15731.html)

- 2019.03 [arxiv] [[1903.10770] Blockchain Solutions for Forensic Evidence Preservation in IoT Environments](https://arxiv.org/abs/1903.10770)

- 2019.03 [compass] [Windows Forensics with Plaso](https://blog.compass-security.com/2019/03/windows-forensics-with-plaso/)

- 2019.03 [checkpoint] [Check Point Forensic Files: A New Monero CryptoMiner Campaign | Check Point Software Blog](https://blog.checkpoint.com/2019/03/19/check-point-forensic-files-monero-cryptominer-campaign-cryptojacking-crypto-apt-hacking/)

- 2019.03 [arxiv] [[1903.07703] A Survey of Electromagnetic Side-Channel Attacks and Discussion on their Case-Progressing Potential for Digital Forensics](https://arxiv.org/abs/1903.07703)

- 2019.03 [hexacorn] [PE Compilation Timestamps vs. forensics](http://www.hexacorn.com/blog/2019/03/11/pe-compilation-timestamps-vs-forensics/)

- 2019.03 [0x00sec] [A forensics repo?](https://0x00sec.org/t/a-forensics-repo/12157/)

- 2019.03 [crowdstrike] [AutoMacTC: Automating Mac Forensic Triage](https://www.crowdstrike.com/blog/automating-mac-forensic-triage/)

- 2019.03 [securityartwork] [Exchange forensics: The mysterious case of ghost mail (IV)](https://www.securityartwork.es/2019/03/06/exchange-forensics-the-mysterious-case-of-ghost-mail-iv/)

- 2019.03 [arxiv] [[1904.00734] Forensics Analysis of Xbox One Game Console](https://arxiv.org/abs/1904.00734)

- 2019.03 [ironcastle] [Special Webcast: SOF-ELK(R): A Free, Scalable Analysis Platform for Forensic, incident Response, and Security Operations – March 5, 2019 1:00pm US/Eastern](https://www.ironcastle.net/special-webcast-sof-elkr-a-free-scalable-analysis-platform-for-forensic-incident-response-and-security-operations-march-5-2019-100pm-us-eastern/)

- 2019.03 [securityartwork] [Exchange forensics: The mysterious case of ghost mail (III)](https://www.securityartwork.es/2019/03/05/exchange-forensics-the-mysterious-case-of-ghost-mail-iii/)

- 2019.03 [freebuf] [你可能没见过的流量取证](https://www.freebuf.com/articles/network/196374.html)

- 2019.03 [securityartwork] [Exchange forensics: The mysterious case of ghost mail (II)](https://www.securityartwork.es/2019/03/04/exchange-forensics-the-mysterious-case-of-ghost-mail-ii/)

- 2019.03 [HackerSploit] [Imago Forensics - Image Forensics Tutorial](https://www.youtube.com/watch?v=HIyObPWM6BM)

- 2019.02 [freebuf] [对恶意树莓派设备的取证分析](https://www.freebuf.com/articles/terminal/196085.html)

- 2019.02 [] [An Introduction to Exploratory Data Analysis with Network Forensics](https://401trg.com/introduction-to-exploratory-data-analysis/)

- 2019.02 [htbridge] [How to Use an Audit Log to Practice WordPress Forensics](https://www.htbridge.com/blog/benefits-activity-logs-wordpress-site.html)

- 2019.02 [htbridge] [How to Use an Audit Log to Practice WordPress Forensics](https://www.immuniweb.com/blog/benefits-activity-logs-wordpress-site.html)

- 2019.02 [arxiv] [[1903.03061] DIALOG: A framework for modeling, analysis and reuse of digital forensic knowledge](https://arxiv.org/abs/1903.03061)

- 2019.02 [arxiv] [[1903.01396] A complete formalized knowledge representation model for advanced digital forensics timeline analysis](https://arxiv.org/abs/1903.01396)

- 2019.02 [bhconsulting] [AWS Cloud: Proactive Security and Forensic Readiness – part 5](http://bhconsulting.ie/aws-incident-response/)

- 2019.02 [infosecinstitute] [Popular Computer Forensics Top 21 Tools [Updated for 2019]](https://resources.infosecinstitute.com/computer-forensics-tools/)

- 2019.02 [cybrary] [The Cost to Learn Computer Forensics](https://www.cybrary.it/2019/02/cost-learn-computer-forensics/)

- 2019.02 [cybrary] [“Ok Google. What is Forensic Analysis?”](https://www.cybrary.it/2019/02/ok-google-forensic-analysis/)

- 2019.02 [360] [从PowerShell内存中提取取证脚本内容](https://www.anquanke.com/post/id/170497/)

- 2019.02 [eforensicsmag] [How EnCase Software has Been Used Major Crime Cases (Plus how to use EnCase Forensic Imager Yourself) | By Brent Whitfield](https://eforensicsmag.com/how-encase-software-has-been-used-major-crime-cases-plus-how-to-use-encase-forensic-imager-yourself-by-brent-whitfield/)

- 2019.01 [4hou] [Linux内存取证：解析用户空间进程堆（下）](http://www.4hou.com/technology/15981.html)

- 2019.01 [4hou] [Linux内存取证：解析用户空间进程堆（中）](http://www.4hou.com/technology/15946.html)

- 2019.01 [cybrary] [Computer Forensics Jobs: How to get a job, and what you should know](https://www.cybrary.it/2019/01/computer-forensics-jobs-get-job/)

- 2019.01 [4hou] [Linux内存取证：解析用户空间进程堆（上）](http://www.4hou.com/technology/15826.html)

- 2019.01 [cybrary] [Computer Forensics Jobs: Is it really that difficult to enter the field?](https://www.cybrary.it/2019/01/computer-forensics-jobs-really-difficult-enter-field/)

- 2019.01 [checkpoint] [Check Point Forensic Files: GandCrab Returns with Friends (Trojans) | Check Point Software Blog](https://blog.checkpoint.com/2019/01/18/check-point-forensic-files-gandcrab-returns-with-friends-trojans/)

- 2019.01 [comae] [Leveraging Microsoft Graph API for memory forensics](https://medium.com/p/7ab7f9ea4d06)

- 2019.01 [cybrary] [Computer Forensics Jobs: Are there jobs available?](https://www.cybrary.it/2019/01/computer-forensics-jobs-jobs-available/)

- 2019.01 [leeholmes] [Extracting Forensic Script Content from PowerShell Process Dumps](https://www.leeholmes.com/blog/2019/01/17/extracting-forensic-script-content-from-powershell-process-dumps/)

- 2019.01 [freebuf] [iOS取证技巧：在无损的情况下完整导出SQLite数据库](https://www.freebuf.com/news/193684.html)

- 2019.01 [freebuf] [TorPCAP：Tor网络取证分析技术](https://www.freebuf.com/news/193660.html)

- 2019.01 [360] [Windows 注册表取证分析](https://www.anquanke.com/post/id/169435/)

- 2019.01 [freebuf] [Android取证：使用ADB和DD对文件系统做镜像](https://www.freebuf.com/articles/terminal/193354.html)

- 2019.01 [sans] [Go Big with Bootcamp for Advanced Memory Forensics and Threat Detection](https://digital-forensics.sans.org/blog/2019/01/09/go-big-with-bootcamp-for-advanced-memory-forensics-and-threat-detection)

- 2019.01 [fireeye] [Digging Up the Past: Windows Registry Forensics Revisited](https://www.fireeye.com/blog/threat-research/2019/01/digging-up-the-past-windows-registry-forensics-revisited.html)

- 2019.01 [sans] [SANS FOR585 Q&A: Smartphone Forensics - Questions answered](https://digital-forensics.sans.org/blog/2019/01/07/sans-for585-qa-smartphone-forensics-questions-answered)

- 2019.01 [redcanary] [Our Automation Solution, Exec, Now Features Forensics, Human Approvals, and More](https://www.redcanary.com/blog/introducing-forensics-human-approvals-more-for-exec/)

- 2019.01 [4hou] [CTF取证方法总结](http://www.4hou.com/web/15206.html)

- 2018.12 [hitbsecconf] [#HITB2018DXB: Offensive Memory Forensics - Hugo Teso](https://www.youtube.com/watch?v=P-OpyGJcMHE)

- 2018.12 [4hou] [Check Point取证报告：SandBlast客户端能够监测到无文件GandCrab](http://www.4hou.com/typ/15295.html)

- 2018.12 [4hou] [Apple FSEvents相关的取证问题总结](http://www.4hou.com/web/15205.html)

- 2018.12 [checkpoint] [使用交互式的报告来展示勒索软件GandCrab最近的攻击活动, 以及攻击流程](https://blog.checkpoint.com/2018/12/17/fileless-gandcrab-sandblast-agent-malware-behavioral-guard/)

- 2018.12 [0x00sec] [Anti-forensic and File-less Malware](https://0x00sec.org/t/anti-forensic-and-file-less-malware/10008/)

- 2018.12 [sans] [The new version of SOF-ELK is here. Download, turn on, and get going on forensics analysis.](https://digital-forensics.sans.org/blog/2018/12/04/the-new-version-of-sof-elk-is-here-download-turn-on-and-get-going-on-forensics-analysis)

- 2018.12 [eforensicsmag] [Snapchat取证](https://eforensicsmag.com/not-quite-snapchat-forensics-by-gary-hunter/)

- 2018.12 [andreafortuna] [Android取证: 使用ADB和DD对文件系统做镜像](https://www.andreafortuna.org/dfir/android-forensics-imaging-android-file-system-using-adb-and-dd/)

- 2018.12 [CodeColorist] [iOS forensics trick: pull databases w/o full backup](https://medium.com/p/c79fa32e5c14)

- 2018.11 [DEFCONConference] [DEF CON 26 DATA DUPLICATION VILLAGE -  Lior Kolnik  - The Memory Remains Cold Drive Memory Forensics](https://www.youtube.com/watch?v=sI6D_CrMr-Q)

- 2018.11 [volatility] [Malware and Memory Forensics Training in 2019!](https://volatility-labs.blogspot.com/2018/11/malware-and-memory-forensics-training.html)

- 2018.11 [eforensicsmag] [LOGICUBE INTRODUCES EDUCATIONAL VIDEO SERIES FOR IT’S NEXT-GENERATION FORENSIC IMAGER, FALCON-NEO | from Logicube](https://eforensicsmag.com/logicube-introduces-educational-video-series-for-its-next-generation-forensic-imager-falcon-neo-from-logicube/)

- 2018.11 [mac4n6] [Do it Live! Dynamic iOS Forensic Testing](https://www.mac4n6.com/blog/2018/11/25/do-it-live-dynamic-ios-forensic-testing)

- 2018.11 [arxiv] [[1811.09239] Digital Forensics for IoT and WSNs](https://arxiv.org/abs/1811.09239)

- 2018.11 [n0where] [Extract Digital Evidences From Images: Imago-Forensics](https://n0where.net/extract-digital-evidences-from-images-imago-forensics)

- 2018.11 [andreafortuna] [AutoTimeliner: automatically extract forensic timeline from memory dumps](https://www.andreafortuna.org/dfir/autotimeliner-automatically-extract-forensic-timeline-from-memory-dumps/)

- 2018.11 [freebuf] [PcapXray：一款功能强大的带有GUI的网络取证工具](https://www.freebuf.com/sectool/188508.html)

- 2018.11 [WildWestHackinFest] [Six Sick Systems, One Hour: Investigate with Host Forensics](https://www.youtube.com/watch?v=dq-hSl-uVbw)

- 2018.11 [arxiv] [[1811.01629] On the Transferability of Adversarial Examples Against CNN-Based Image Forensics](https://arxiv.org/abs/1811.01629)

- 2018.11 [DEFCONConference] [DEF CON 26 VOTING VILLAGE - Carsten Schurmann - A Comprehensive Forensic Analysis of WINVote Voting](https://www.youtube.com/watch?v=CXYCtSwkWf8)

- 2018.11 [arxiv] [[1811.00701] Towards the Development of Realistic Botnet Dataset in the Internet of Things for Network Forensic Analytics: Bot-IoT Dataset](https://arxiv.org/abs/1811.00701)

- 2018.10 [hackers] [网络审计之Wireshark基础, Part2](https://www.hackers-arise.com/single-post/2018/10/31/Network-Forensics-Wireshark-Basics-Part-2)

- 2018.10 [aliyun] [picoCTF2018 Writeup之Forensics篇](https://xz.aliyun.com/t/3098)

- 2018.10 [aliyun] [取证分析之发现Windows恶意程序执行痕迹](https://xz.aliyun.com/t/3067)

- 2018.10 [mac4n6] [Video Now Available - #DFIRFIT or BUST: A Forensic Exploration of iOS Health Data](https://www.mac4n6.com/blog/2018/10/28/video-now-available-dfirfit-or-bust-a-forensic-exploration-of-ios-health-data)

- 2018.10 [insanitybit] [Grapl: A Graph Platform for Detection, Forensics, and Incident Response](http://insanitybit.github.io/2018/10/20/grapl-a-graph-platform-for-detection-forensics-and-incident-response)

- 2018.10 [krypt3ia] [Ryan S. Lin: Cyber Stalking, VPN’s and Digital Forensics](https://krypt3ia.wordpress.com/2018/10/13/ryan-s-lin-cyber-stalking-vpns-and-digital-forensics/)

- 2018.10 [pediy] [[原创]取证分析之逆向服务器提权开启3389远程连接工具](https://bbs.pediy.com/thread-247239.htm)

- 2018.10 [malwarenailed] [Live forensic collection and triage using CyLR, CDQR and Skadi](http://malwarenailed.blogspot.com/2018/10/live-forensic-collection-and-triage.html)

- 2018.10 [insinuator] [Incident Analysis and Digital Forensics Summit 2018, 14th of November of 2018](https://insinuator.net/2018/10/incident-analysis-and-digital-forensics-summit-2018-14th-of-november-of-2018/)

- 2018.10 [SSTecTutorials] [USB Forensics - Find History of Connected USB | Data Stolen By USB?](https://www.youtube.com/watch?v=eO_3kSZgRzg)

- 2018.10 [elearnsecurity] [Top 5 Skills for a Career in Digital Forensics](https://blog.elearnsecurity.com/top-5-skills-for-a-career-in-digital-forensics.html)

- 2018.10 [eforensicsmag] [Threat Intelligence: Taking a Fresh Look at Digital Forensics Backlogs | By Jonathan Zhang](https://eforensicsmag.com/threat-intelligence-taking-a-fresh-look-at-digital-forensics-backlogs-by-jonathan-zhang/)

- 2018.10 [welivesecurity] [How to find forensic computer tools for each incident](https://www.welivesecurity.com/2018/10/03/it-forensic-tools-find-right-one/)

- 2018.10 [elcomsoft] [iOS Forensics Training in Vienna: 17-19 Oct 2018](https://blog.elcomsoft.com/2018/10/ios-forensics-training-in-vienna-17-19-oct-2018/)

- 2018.10 [andreafortuna] [Accessing Volume Shadow Copies within a forensic image](https://www.andreafortuna.org/dfir/accessing-volume-shadow-copies-within-a-forensic-image/)

- 2018.09 [hackers] [Network Forensics, Part 2: Detecting and Analyzing a SCADA DoS Attack](https://www.hackers-arise.com/single-post/2018/09/27/Network-Forensics-Part-2-Detecting-and-Analyzing-a-SCADA-DoS-Attack)

- 2018.09 [hackers] [Network Forensics, Wireshark Basics, Part 1](https://www.hackers-arise.com/single-post/2018/09/24/Network-Forensics-Wireshark-Basics-Part-1)

- 2018.09 [4hou] [如何对苹果设备进行云取证](http://www.4hou.com/technology/13592.html)

- 2018.09 [4hou] [是迫于压力还是心甘情愿？年底之前，苹果将完成和执法机构的取证工作对接](http://www.4hou.com/info/news/13523.html)

- 2018.09 [eforensicsmag] [Ethics and Forensics- Time To Take A Hard Look | By Marisa Dery](https://eforensicsmag.com/ethics-and-forensics-time-to-take-a-hard-look-by-marisa-dery/)

- 2018.09 [elcomsoft] [Cloud Forensics: Why, What and How to Extract Evidence](https://blog.elcomsoft.com/2018/09/cloud-forensics-why-what-and-how-to-extract-evidence/)

- 2018.09 [arxiv] [[1809.00745] IoTDots: A Digital Forensics Framework for Smart Environments](https://arxiv.org/abs/1809.00745)

- 2018.09 [bhconsulting] [AWS Cloud: Proactive Security and Forensic Readiness – part 4](http://bhconsulting.ie/aws-detective-controls/)

- 2018.08 [freebuf] [Hindsight：Google ChromeChromium历史访问记录取证工具](http://www.freebuf.com/sectool/179734.html)

- 2018.08 [arxiv] [[1808.01196] Enabling Trust in Deep Learning Models: A Digital Forensics Case Study](https://arxiv.org/abs/1808.01196)

- 2018.08 [eforensicsmag] [Tracking Photo’s Geo-location with GPS EXIF DATA – Forensic Analysis | By Bala Ganesh](https://eforensicsmag.com/tracking-photos-geo-location-with-gps-exif-data-forensic-analysis-by-bala-ganesh/)

- 2018.07 [arxiv] [[1807.10436] Emerging from The Cloud: A Bibliometric Analysis of Cloud Forensics Studies](https://arxiv.org/abs/1807.10436)

- 2018.07 [arxiv] [[1807.10438] Internet of Things Security and Forensics: Challenges and Opportunities](https://arxiv.org/abs/1807.10438)

- 2018.07 [arxiv] [[1807.10445] Greening Cloud-Enabled Big Data Storage Forensics: Syncany as a Case Study](https://arxiv.org/abs/1807.10445)

- 2018.07 [arxiv] [[1807.10359] B-CoC: A Blockchain-based Chain of Custody for Evidences Management in Digital Forensics](https://arxiv.org/abs/1807.10359)

- 2018.07 [arxiv] [[1807.10218] CloudMe Forensics: A Case of Big-Data Investigation](https://arxiv.org/abs/1807.10218)

- 2018.07 [arxiv] [[1807.10214] Cloud Storage Forensic: hubiC as a Case-Study](https://arxiv.org/abs/1807.10214)

- 2018.07 [pentesttoolz] [Hindsight – Internet History Forensics For Google Chrome/Chromium](https://pentesttoolz.com/2018/07/23/hindsight-internet-history-forensics-for-google-chrome-chromium/)

- 2018.07 [arxiv] [[1807.08264] Digital forensic investigation of two-way radio communication equipment and services](https://arxiv.org/abs/1807.08264)

- 2018.07 [] [Forensics Quickie: Identifying an Unknown GUID with Shellbags Explorer, Detailing Shell Item Extension Block 0xbeef0026, & Creative Cloud GUID Behavior](https://www.4n6k.com/2018/07/forensics-quickie-detailing-shell-item-guid-behavior-creative-cloud.html)

- 2018.07 [fireeye] [Leveraging Intelligence with FireEye Network Forensics](https://www.fireeye.com/blog/products-and-services/2018/07/leveraging-intelligence-with-fireeye-network-forensics.html)

- 2018.07 [NetflixTechBlog] [Netflix SIRT releases Diffy: A Differencing Engine for Digital Forensics in the Cloud](https://medium.com/p/37b71abd2698)

- 2018.07 [Sebdraven] [APT Sidewinder: Tricks powershell, Anti Forensics and execution side loading](https://medium.com/p/5bc1a7e7c84c)

- 2018.07 [eforensicsmag] [Digital Forensics – Tracking & Target Locating .Jpegs via Metadata (Exif) | By Hector Barquero](https://eforensicsmag.com/digital-forensics-tracking-target-locating-jpegs-via-metadata-exif-by-hector-barquero/)

- 2018.07 [4hou] [攻击者从台湾科技公司窃取证书用于Plead恶意软件活动](http://www.4hou.com/web/12550.html)

- 2018.07 [eforensicsmag] [Network Forensics Village | By Alexander Kot](https://eforensicsmag.com/network-forensics-village-by-alexander-kot/)

- 2018.07 [HACKADAY] [DataGram - Forensic Locksmithing](https://www.youtube.com/watch?v=h79mw8B1b8k)

- 2018.07 [pentesttoolz] [Guasap – WhatsApp Forensic Tool](https://pentesttoolz.com/2018/07/05/guasap-whatsapp-forensic-tool/)

- 2018.07 [hackread] [最佳网络取证工具Top 7](https://www.hackread.com/top-7-cyber-forensic-tools/)

- 2018.06 [SecPgh] [Tactical, Practical, Digital Forensics - John Grim](https://www.youtube.com/watch?v=TQsf-MM95q0)

- 2018.06 [freebuf] [记一次服务器被入侵的调查取证](http://www.freebuf.com/articles/rookie/175370.html)

- 2018.06 [360] [企业APT攻击取证（windows版本）](https://www.anquanke.com/post/id/149182/)

- 2018.06 [elcomsoft] [iOS Forensic Toolkit 4.0 with Physical Keychain Extraction](https://blog.elcomsoft.com/2018/06/ios-forensic-toolkit-4-0-with-physical-keychain-extraction/)

- 2018.06 [countuponsecurity] [Digital Forensics – PlugX and Artifacts left behind](https://countuponsecurity.com/2018/06/20/digital-forensics-plugx-and-artifacts-left-behind/)

- 2018.06 [pediy] [[翻译]WhatsApp取证：对加密数据库进行解密和在尚未被Root的Android设备上提取已删除的消息](https://bbs.pediy.com/thread-228608.htm)

- 2018.06 [X13Cubed] [RDP Event Log Forensics](https://www.youtube.com/watch?v=myzG11BP3Sk)

- 2018.06 [mac4n6] [Presentation - #DFIRFIT or BUST: A Forensic Exploration of iOS Health Data (SANS DFIR Summit)](https://www.mac4n6.com/blog/2018/6/15/presentation-dfirfit-or-bust-a-forensic-exploration-of-ios-health-data-sans-dfir-summit)

- 2018.06 [0x00sec] [Intro to Digital Forensics [Part 2 - Methodology and Process Models]](https://0x00sec.org/t/intro-to-digital-forensics-part-2-methodology-and-process-models/7122/)

- 2018.06 [SecurityFest] [Solomon Sonya - Advanced Memory Forensics NextGen Actionable Threat Intelligence - SecurityFest 2018](https://www.youtube.com/watch?v=id_T7Z3tvWA)

- 2018.06 [andreafortuna] [Dumpzilla: a forensic tool to extract information from browsers based on Firefox](https://www.andreafortuna.org/dfir/dumpzilla-a-forensic-tool-to-extract-information-from-browsers-based-on-firefox/)

- 2018.06 [andreafortuna] [analyzeMFT介绍](https://www.andreafortuna.org/dfir/using-mft-anomalies-to-spot-suspicious-files-in-forensic-analysis/)

- 2018.05 [aliyun] [【取证分析】CentOS_5.5_安装GCC编译LiME](https://xz.aliyun.com/t/2346)

- 2018.04 [freebuf] [内存取证：查找Metasploit的Meterpreter踪迹](http://www.freebuf.com/sectool/168218.html)

- 2018.04 [360] [如何通过内存取证技术追踪Metasploit Meterpreter](https://www.anquanke.com/post/id/104322/)

- 2018.03 [freebuf] [如何对已损坏的SQLite数据库取证分析？](http://www.freebuf.com/articles/database/164644.html)

- 2018.03 [hackers] [Digital Forensics, Part 10: Mobile  Forensics (Android)](https://www.hackers-arise.com/single-post/2018/03/25/Digital-Forensics-Part-10-Mobile-Forensics-Android)

- 2018.03 [4hou] [数字取证调查中如何获取网络连接的时间戳？](http://www.4hou.com/technology/10790.html)

- 2018.03 [hackers] [Digital Forensics, Part 5: Analyzing the Windows Registry for Evidence](https://www.hackers-arise.com/single-post/2016/10/21/Digital-Forensics-Part-5-Analyzing-the-Windows-Registry-for-Evidence)

- 2018.03 [360] [WhatsApp取证技术：如何在未Root的Android设备上解密数据库](https://www.anquanke.com/post/id/98382/)

- 2018.03 [sec] [网络犯罪调查与电子数据取证](https://www.sec-un.org/%e7%bd%91%e7%bb%9c%e7%8a%af%e7%bd%aa%e8%b0%83%e6%9f%a5%e4%b8%8e%e7%94%b5%e5%ad%90%e6%95%b0%e6%8d%ae%e5%8f%96%e8%af%81/)

- 2018.02 [hackers] [Network Forensics, Part 1](https://www.hackers-arise.com/single-post/2018/02/28/Network-Forensics-Part-1)

- 2018.02 [freebuf] [iPhone X未能幸免 | 以色列取证企业发现解锁任意iPhone设备的方法](http://www.freebuf.com/news/163634.html)

- 2018.02 [hackingarticles] [Digital Forensics Investigation through OS Forensics (Part 3)](http://www.hackingarticles.in/digital-forensics-investigation-os-forensics-part-3/)

- 2018.02 [hackingarticles] [Convert Virtual Machine to Raw Images for Forensics (Qemu-Img)](http://www.hackingarticles.in/convert-virtual-machine-raw-images-forensics-qemu-img/)

- 2018.01 [hackingarticles] [Digital Forensics Investigation through OS Forensics (Part 2)](http://www.hackingarticles.in/digital-forensics-investigation-os-forensics-part-2/)

- 2018.01 [hackingarticles] [Digital Forensics Investigation using OS Forensics (Part1)](http://www.hackingarticles.in/digital-forensics-investigation-using-os-forensics-part1/)

- 2018.01 [hackingarticles] [Forensic Imaging through Encase Imager](http://www.hackingarticles.in/forensic-imaging-encase/)

- 2018.01 [hackingarticles] [Forensic Investigation of Nmap Scan using Wireshark](http://www.hackingarticles.in/forensic-investigation-of-nmap-scan-using-wireshark/)

- 2018.01 [boredhackerblog] [Digital Forensics and Law](http://www.boredhackerblog.info/2018/01/digital-forensics-and-law.html)

- 2018.01 [hackingarticles] [Forensic Data Carving using Foremost](http://www.hackingarticles.in/forensic-data-carving-using-foremost/)

- 2018.01 [4hou] [云存储服务的数字取证（下）](http://www.4hou.com/technology/9808.html)

- 2018.01 [4hou] [云存储服务的数字取证（上）](http://www.4hou.com/data/9807.html)

- 2018.01 [hackingarticles] [Forensics Tools in Kali](http://www.hackingarticles.in/forensics-tools-kali/)

- 2018.01 [hackingarticles] [Network Packet Forensic using Wireshark](http://www.hackingarticles.in/network-packet-forensic-using-wireshark/)

- 2017.12 [cert] [GreHack 2017 – Write Up Forensic 400](https://www.cert-devoteam.fr/publications/en/grehack-2017-write-up-forensic-400/)

- 2017.11 [freebuf] [著名开源网络取证工具Xplico远程未授权RCE漏洞](http://www.freebuf.com/sectool/154523.html)

- 2017.10 [freebuf] [反取证技术：内核模式下的进程隐蔽](http://www.freebuf.com/articles/web/148515.html)

- 2017.10 [4hou] [内存取证分析的实战演练](http://www.4hou.com/technology/5860.html)

- 2017.10 [n0where] [Wireless Monitoring, Intrusion Detection & Forensics: Nzyme](https://n0where.net/wireless-monitoring-intrusion-detection-forensics-nzyme)

- 2017.09 [sans] [Forensic use of mount --bind](https://isc.sans.edu/forums/diary/Forensic+use+of+mount+bind/22854/)

- 2017.09 [360] [PCRT：一款自动化检测修复PNG损坏的取证工具](https://www.anquanke.com/post/id/86793/)

- 2017.09 [elcomsoft] [iOS 11 中的新安全措施及其Forensic Implications](https://blog.elcomsoft.com/2017/09/new-security-measures-in-ios-11-and-their-forensic-implications/)

- 2017.08 [freebuf] [内存取证三项CTF赛题详解](http://www.freebuf.com/articles/rookie/145262.html)

- 2017.08 [aliyun] [威胁猎杀与主动取证](https://xz.aliyun.com/t/1057)

- 2017.08 [securelayer7] [胖客户端渗透测试的工具与技巧 - Part 4: 静态分析、内存取证与逆向分析](http://blog.securelayer7.net/static-analysismemory-forensics-reverse-engineering-thick-client-penetration-testing-part-4/)

- 2017.08 [freebuf] [详解Windows注册表分析取证](http://www.freebuf.com/articles/system/142417.html)

- 2017.08 [pediy] [[翻译]CTF取证类题目指南](https://bbs.pediy.com/thread-220021.htm)

- 2017.07 [aliyun] [[ISS 2017]电子数据取证 议题分享一：网络犯罪魔与道：过去、现在、未来](https://xz.aliyun.com/t/731)

- 2017.07 [aliyun] [[ISS 2017]电子数据取证 议题分享二：计算机取证，科学?](https://xz.aliyun.com/t/732)

- 2017.07 [4hou] [BlackHat2017热点之DefPloreX---大规模网络犯罪取证的机器学习工具](http://www.4hou.com/tools/6881.html)

- 2017.07 [trendmicro] [defplorex 介绍](https://blog.trendmicro.com/trendlabs-security-intelligence/defplorex-machine-learning-toolkit-large-scale-ecrime-forensics/)

- 2017.07 [securelist] [bitscout 介绍](https://securelist.com/bitscout-the-free-remote-digital-forensics-tool-builder/78991/)

- 2017.06 [360] [数字取证技术——NTFS更改日志](https://www.anquanke.com/post/id/86265/)

- 2017.06 [secist] [22款受欢迎的计算机取证工具](http://www.secist.com/archives/3743.html)

- 2017.06 [freebuf] [22款受欢迎的计算机取证工具](http://www.freebuf.com/sectool/136921.html)

- 2017.06 [4hou] [工具推荐：22款最流行的计算机取证工具【2017年更新版】](http://www.4hou.com/tools/5331.html)

- 2017.06 [nicoleibrahim] [Apple FSEvents 取证。文章从较高的角度介绍了 Apple 存储在磁盘上的文件系统事件，包括 FSEvents 的背景信息、日志位置、记录结构、行为、事件解析、值得注意的事件以及事件说明等。](http://nicoleibrahim.com/apple-fsevents-forensics/)

- 2017.06 [freebuf] [基于bro的计算机入侵取证实战分析](http://www.freebuf.com/articles/system/135843.html)

- 2017.06 [n0where] [Digital Forensics Platform: Autopsy](https://n0where.net/digital-forensics-platform-autopsy)

- 2017.05 [360] [Linux取证技术实践](https://www.anquanke.com/post/id/86177/)

- 2017.05 [countuponsecurity] [数据取证：NTFS change journal](https://countuponsecurity.com/2017/05/25/digital-forensics-ntfs-change-journal/)

- 2017.05 [freebuf] [计算机取证在企业安全中的实际应用](http://www.freebuf.com/articles/others-articles/134283.html)

- 2017.04 [hackingarticles] [Mobile Forensics Investigation using Cellebrite UFED](http://www.hackingarticles.in/mobile-forensics-investigation-using-cellebrite-ufed/)

- 2017.04 [ionize] [BSides Canberra 2017 CTF Writeup – Forensics – Capture This Challenge](https://ionize.com.au/bsides-canberra-2017-ctf-writeup-forensics-capture-challenge/)

- 2017.03 [4hou] [反取证、密码学、逆向工程软件…… 10大最好的网络安全Reddit都在这儿](http://www.4hou.com/info/news/3959.html)

- 2017.03 [freebuf] [数字取证技术 ：Windows内存信息提取](http://www.freebuf.com/articles/system/129463.html)

- 2017.03 [csyssec] [名人课堂-高级数字取证与数据逆向工程](http://www.csyssec.org/20170306/course-zhiqianglin1/)

- 2017.01 [n0where] [Open Source File System Digital Forensics: The Sleuth Kit](https://n0where.net/open-source-file-system-digital-forensics-the-sleuth-kit)

- 2017.01 [securestate] [CTF Example – Forensics](https://warroom.securestate.com/forensic-files-a-ctf-beginners-guide/)

- 2017.01 [welivesecurity] [Forensic analysis techniques for digital imaging](https://www.welivesecurity.com/2017/01/13/forensic-analysis-techniques-digital-imaging/)

- 2017.01 [freebuf] [为保护隐私而生，反取证操作系统：kodachi](http://www.freebuf.com/sectool/124486.html)

- 2017.01 [n0where] [Secure Anti Forensic Anonymous Operating System: kodachi](https://n0where.net/secure-anti-forensic-anonymous-operating-system-kodachi)

- 2016.12 [lightless] [SECCON2016取证题WriteUP](https://lightless.me/archives/SECCON-2016-Forensics-WP.html)

- 2016.11 [hackers] [Digital Forensics, Part 8: Live Analysis with sysinternals](https://www.hackers-arise.com/single-post/2016/11/29/Digital-Forensics-Part-7-Live-Analysis-with-sysinternals)

- 2016.11 [hackers] [Digital Forensics, Part 7: Browser Forensics](https://www.hackers-arise.com/single-post/2016/11/17/Digital-Forensics-Part-7-Browser-Forensics)

- 2016.11 [n0where] [PowerShell Digital Forensics: PowerForensics](https://n0where.net/powershell-digital-forensics-powerforensics)

- 2016.11 [hackers] [Digital Forensics, Part 6: Analyzing Windows Pre-fetch Files for Evidence](https://www.hackers-arise.com/single-post/2016/11/02/Digital-Forensics-Part-6-Analyzing-Windows-Pre-fetch-Files-for-Evidence)

- 2016.10 [hackers] [Digital Forensics, Part 4: Finding Key Evidence in the Forensic Image](https://www.hackers-arise.com/single-post/2016/10/14/Digital-Forensics-Part-4-Finding-Key-Evidence-in-the-Forensic-Image)

- 2016.10 [hackers] [Digital Forensics, Part 3: Recovering Deleted Files](https://www.hackers-arise.com/single-post/2016/10/10/Digital-Forensics-Part-3-Recovering-Deleted-Files)

- 2016.10 [hackers] [Anti-Forensics: How to Clear Evidence Like Hillary Clinton](https://www.hackers-arise.com/single-post/2016/09/06/Anti-Forensics-How-to-Clean-Evidence-Like-Hillary-Clinton)

- 2016.09 [hackers] [Digital Forensics, Part 2:  Live Memory Acquisition and Analysis](https://www.hackers-arise.com/single-post/2016/09/27/Digital-Forensics-Part-2-Live-Memory-Acquisition-and-Analysis)

- 2016.09 [sans] [Back in Time Memory Forensics](https://isc.sans.edu/forums/diary/Back+in+Time+Memory+Forensics/21527/)

- 2016.09 [hackers] [Digital Forensics, Part 1: Capturing a Forensically Sound Image](https://www.hackers-arise.com/single-post/2016/09/19/Digital-Forensics-Part-1-Capturing-a-Forensically-Sound-Image)

- 2016.09 [sans] [Windows Events log for IR/Forensics ,Part 2](https://isc.sans.edu/forums/diary/Windows+Events+log+for+IRForensics+Part+2/21501/)

- 2016.09 [n0where] [Windows Forensic Data Collection: IR-rescue](https://n0where.net/windows-forensic-data-collection-ir-rescue)

- 2016.09 [sans] [Windows Events log for IR/Forensics ,Part 1](https://isc.sans.edu/forums/diary/Windows+Events+log+for+IRForensics+Part+1/21493/)

- 2016.09 [n0where] [Forensic File System Reconstruction: RecuperaBit](https://n0where.net/forensic-file-system-reconstruction-recuperabit)

- 2016.08 [n0where] [USB Anti Forensic Tool: usbdeath](https://n0where.net/usb-anti-forensic-tool-usbdeath)

- 2016.08 [rapid7] [Using Log Data as Forensic Evidence](https://blog.rapid7.com/2016/08/12/using-log-data-as-forensic-evidence/)

- 2016.08 [sans] [Looking for the insider: Forensic Artifacts on iOS Messaging App](https://isc.sans.edu/forums/diary/Looking+for+the+insider+Forensic+Artifacts+on+iOS+Messaging+App/21363/)

- 2016.08 [n0where] [OS X Forensic Evidence Collection: OSXCollector](https://n0where.net/os-x-forensic-evidence-collection-osxcollector)

- 2016.07 [n0where] [Incident Response Forensic Framework: nightHawk Response](https://n0where.net/incident-response-forensic-framework-nighthawk-response)

- 2016.07 [n0where] [Offline Digital Forensics Tool for Binary Files: ByteForce](https://n0where.net/offline-digital-forensics-tool-byteforce)

- 2016.06 [hackers] [Covering your BASH Shell Tracks- Anti-Forensics](https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics)

- 2016.06 [rapid7] [Trip Report: Techno Security & Forensics Investigations Conference](https://blog.rapid7.com/2016/06/09/trip-report-techno-security-forensics-investigations-conference/)

- 2016.06 [sans] [Performing network forensics with Dshell. Part 2: Decoder development process](https://isc.sans.edu/forums/diary/Performing+network+forensics+with+Dshell+Part+2+Decoder+development+process/21123/)

- 2016.05 [sans] [Performing network forensics with Dshell. Part 1: Basic usage](https://isc.sans.edu/forums/diary/Performing+network+forensics+with+Dshell+Part+1+Basic+usage/21035/)

- 2016.05 [n0where] [Open Source Intelligence and Forensics : Maltego](https://n0where.net/open-source-intelligence-and-forensics-maltego)

- 2016.04 [sans] [An Introduction to Mac memory forensics](https://isc.sans.edu/forums/diary/An+Introduction+to+Mac+memory+forensics/20989/)

- 2016.04 [n0where] [Advanced Forensics File Format: AFF4](https://n0where.net/advanced-forensics-file-format-aff4)

- 2016.03 [sans] [Improving Bash Forensics Capabilities](https://isc.sans.edu/forums/diary/Improving+Bash+Forensics+Capabilities/20887/)

- 2016.03 [sans] [Forensicating Docker, Part 1](https://isc.sans.edu/forums/diary/Forensicating+Docker+Part+1/20835/)

- 2016.03 [hackingarticles] [Wifi Forensic Investigation using Wifihistoryview](http://www.hackingarticles.in/wifi-forensic-investigation-using-wifihistoryview/)

- 2016.02 [freebuf] [针对爱尔兰DDoS攻击的取证分析](http://www.freebuf.com/articles/network/96179.html)

- 2016.02 [nsfocus] [加强调查取证，夯实威胁情报基础](http://blog.nsfocus.net/security-incident-investigation-to-threat-intelligence/)

- 2016.02 [360] [新型DDOS攻击分析取证](https://www.anquanke.com/post/id/83443/)

- 2016.01 [freebuf] [Joy：捕获数据包、分析网络流量数据、网络取证及安全监控工具](http://www.freebuf.com/sectool/93017.html)

- 2016.01 [freebuf] [分析取证指南：取证工具推荐](http://www.freebuf.com/sectool/92946.html)

- 2016.01 [sans] [toolsmith #112: Red vs Blue - PowerSploit vs PowerForensics](https://isc.sans.edu/forums/diary/toolsmith+112+Red+vs+Blue+PowerSploit+vs+PowerForensics/20579/)

- 2015.12 [freebuf] [针对国外一款超火约会软件Tinder的取证分析](http://www.freebuf.com/articles/terminal/91546.html)

- 2015.12 [freebuf] [开源网络取证工具Xplico](http://www.freebuf.com/sectool/88496.html)

- 2015.11 [secist] [调查取证之图像还原](http://www.secist.com/archives/2131.html)

- 2015.11 [secist] [调查取证之文字还原](http://www.secist.com/archives/2110.html)

- 2015.11 [n0where] [Network Forensic Analysis Tool: Xplico](https://n0where.net/network-forensic-analysis-tool-xplico)

- 2015.11 [n0where] [Digital Forensics Distro: CAINE](https://n0where.net/digital-forensics-distro-caine)

- 2015.11 [hackingarticles] [Forensic Investigation of Any Mobile Phone with MOBILedit Forensic](http://www.hackingarticles.in/forensic-investigation-of-any-mobile-phone-with-mobiledit-forensic/)

- 2015.10 [hackingarticles] [Android Mobile Device Forensics with Mobile Phone Examiner Plus](http://www.hackingarticles.in/android-mobile-device-forensics-with-mobile-phone-examiner-plus/)

- 2015.10 [360] [WMI 的攻击，防御与取证分析技术之攻击篇](https://www.anquanke.com/post/id/82798/)

- 2015.10 [hackingarticles] [How to Create a Forensic Image of Android Phone using Magnet Acquire](http://www.hackingarticles.in/how-to-create-a-forensic-image-of-andorid-phone-using-magnet-acquire/)

- 2015.10 [hackingarticles] [Forensics Investigation of Android Phone using Andriller](http://www.hackingarticles.in/forensics-investigation-of-android-phone-using-andriller/)

- 2015.10 [hackingarticles] [Logical Forensics of an Android Device using AFLogical](http://www.hackingarticles.in/logical-forensics-of-an-android-device-using-aflogical/)

- 2015.10 [hackingarticles] [SANTOKU Linux- Overview of Mobile Forensics Operating System](http://www.hackingarticles.in/santoku-linux-overview-of-mobile-forensics-operating-system/)

- 2015.10 [hackingarticles] [Forensics Analysis of Pagefile and hibersys File in Physical Memory](http://www.hackingarticles.in/forensics-analysis-of-pagefile-and-hibersys-file-in-physical-memory/)

- 2015.09 [hackingarticles] [4 ways Capture Memory for Analysis (Memory Forensics)](http://www.hackingarticles.in/4-ways-capture-memory-for-analysis-memory-forensics/)

- 2015.09 [hackingarticles] [Forensic Investigation of RAW Image using Forensics Explorer (Part 1)](http://www.hackingarticles.in/forensic-investigation-of-raw-image-using-forensics-explorer-part-1/)

- 2015.09 [hackingarticles] [Forensic   Investigation Tutorial Using DEFT](http://www.hackingarticles.in/forensic-investigation-tutorial-using-deft/)

- 2015.09 [freebuf] [“短信拦截马”黑色产业链与溯源取证研究](http://www.freebuf.com/articles/terminal/77331.html)

- 2015.07 [hackingarticles] [Forensics Investigon of RAW Images using Belkasoft Evidence Center](http://www.hackingarticles.in/forensics-investigon-of-raw-images-using-belkasoft-evidence-center/)

- 2015.07 [hackingarticles] [How to Clone Drive for Forensics Purpose](http://www.hackingarticles.in/how-to-clone-drive-for-forensics-purpose/)

- 2015.06 [hackingarticles] [Best of Computer Forensics Tutorials](http://www.hackingarticles.in/best-of-computer-forensics-tutorials/)

- 2015.06 [hackingarticles] [Forensics Investigation of Deleted Files in a Drive](http://www.hackingarticles.in/forensics-investigation-of-deleted-files-in-a-drive/)

- 2015.06 [hackingarticles] [Comparison of two Files for forensics investigation by Compare IT](http://www.hackingarticles.in/comparison-of-two-files-for-forensics-investigation-by-compare-it/)

- 2015.06 [hackingarticles] [Live Forensics Case Investigation using Autopsy](http://www.hackingarticles.in/live-forensics-case-investigation-using-autopsy/)

- 2015.06 [hackingarticles] [How to Install Digital Forensics Framework in System](http://www.hackingarticles.in/how-to-install-digital-forensics-framework-in-system/)

- 2015.06 [hackingarticles] [Forensics Investigation of Facebook, Skype, and Browsers in RAW Image using IEF (Internet Evidence Finder)](http://www.hackingarticles.in/forensics-investigation-of-facebook-skype-and-browsers-in-raw-image-using-ief-internet-evidence-finder/)

- 2015.06 [hackingarticles] [How to Create Drive Image for Forensic Purpose using Forensic Replicator](http://www.hackingarticles.in/how-to-create-drive-image-for-forensic-purpose-using-forensic-replicator/)

- 2015.06 [hackingarticles] [Outlook Forensics Investigation using E-Mail Examiner](http://www.hackingarticles.in/outlook-forensics-investigation-using-e-mail-examiner/)

- 2015.06 [hackingarticles] [How to Preserve Forensics Image file Timestamp](http://www.hackingarticles.in/how-to-preserve-forensics-image-file-timestamp/)

- 2015.05 [hackingarticles] [Forensics Investigation of Evidence RAW Image using OS Forensics Tool](http://www.hackingarticles.in/forensics-investigation-of-evidence-raw-image-using-os-forensics-tool/)

- 2015.05 [hackingarticles] [How to Create and Convert RAW Image in Encase and AFF Format using Forensics Imager](http://www.hackingarticles.in/how-to-create-and-convert-raw-image-in-encase-and-aff-format-using-forensics-imager/)

- 2015.05 [hackingarticles] [How to Mount Forensics image as a Drive using P2 eXplorer Pro](http://www.hackingarticles.in/how-to-mount-forensics-image-as-a-drive-using-p2-explorer-pro/)

- 2015.05 [hackingarticles] [How to gather Forensics Investigation Evidence using ProDiscover Basic](http://www.hackingarticles.in/how-to-gather-forensics-investigation-evidence-using-prodiscover-basic/)

- 2015.05 [hackingarticles] [How to study Forensics Evidence of PC using P2 Commander (Part 2)](http://www.hackingarticles.in/how-to-study-forensics-evidence-of-pc-using-p2-commander-part-2/)

- 2015.05 [hackingarticles] [How to Collect Forensics Evidence of PC using P2 Commander (Part 1)](http://www.hackingarticles.in/how-to-collect-forensics-evidence-of-pc-using-p2-commander-part-1/)

- 2015.05 [hackingarticles] [How to Create Forensics Image of PC using R-Drive Image](http://www.hackingarticles.in/how-to-create-forensics-image-of-pc-using-r-drive-image/)

- 2015.04 [hackingarticles] [Forensic Investigation of victim pc using Autopsy](http://www.hackingarticles.in/forensic-investigation-of-victim-pc-using-autopsy/)

- 2015.04 [hackingarticles] [Forensic Investigation of any Twitter account](http://www.hackingarticles.in/forensic-investigation-of-any-twitter-account/)

- 2015.04 [hackingarticles] [How to perform Forensic Investigation on user Linkedin Account](http://www.hackingarticles.in/how-to-perform-forensic-investigation-on-user-linkedin-account/)

- 2015.04 [hackingarticles] [How to Perform Forensic Investigation on YouTube](http://www.hackingarticles.in/how-to-perform-forensic-investigation-on-youtube/)

- 2015.04 [hackingarticles] [Forensic Investigation of any FaceBook Profile](http://www.hackingarticles.in/forensic-investigation-of-any-facebook-profile/)

- 2015.04 [sans] [Memory Forensics Of Network Devices](https://isc.sans.edu/forums/diary/Memory+Forensics+Of+Network+Devices/19591/)

- 2015.03 [hackingarticles] [How to find the usage of files in Remote victim PC (Remote PC Forensics)](http://www.hackingarticles.in/how-to-find-the-usage-of-files-in-remote-victim-pc-remote-pc-forensics/)

- 2015.03 [] [Web日志取证分析工具](http://www.91ri.org/12592.html)

- 2015.02 [] [电子取证实例：基于磁盘的数据取证](http://www.91ri.org/12339.html)

- 2015.02 [n0where] [Forensic Data Extraction: Bulk Extractor](https://n0where.net/forensic-data-extraction-bulk-extractor)

- 2015.02 [] [从一次取证到反渗透](http://www.91ri.org/12308.html)

- 2015.02 [sans] [Another Network Forensic Tool for the Toolbox - Dshell](https://isc.sans.edu/forums/diary/Another+Network+Forensic+Tool+for+the+Toolbox+Dshell/19277/)

- 2015.02 [freebuf] [电子取证实例：基于文件系统的磁盘数据取证分析](http://www.freebuf.com/articles/system/57804.html)

- 2015.01 [n0where] [Dshell – Network Forensic Analysis Framework](https://n0where.net/dshell-network-forensic-analysis-framework)

- 2015.01 [hackingarticles] [How to Collect Email Evidence in Victim PC (Email Forensics)](http://www.hackingarticles.in/how-to-collect-email-evidence-in-victim-pc-email-forensics/)

- 2015.01 [hackingarticles] [Forensics Analysis of Social Media Sites like Facebook, Twitter, LinkedIn](http://www.hackingarticles.in/forensics-analysis-of-social-media-sites-like-facebook-twitter-linkedin/)

- 2014.11 [freebuf] [Linux入侵取证：从一次应急事件讲起](http://www.freebuf.com/articles/system/50728.html)

- 2014.10 [] [云端博弈——云安全入侵取证及思考](http://www.91ri.org/11170.html)

- 2014.10 [tencent] [云端博弈——云安全入侵取证及思考](https://security.tencent.com/index.php/blog/msg/72)

- 2014.10 [sec] [容易被忽略的Anti-APT产品-网络取证工具NFT](https://www.sec-un.org/overlooked-anti-apt-products-network-forensic-tools-nft/)

- 2014.08 [n0where] [Digital Forensics Toolkit: DEFT](https://n0where.net/digital-forensics-toolkit-deft)

- 2014.08 [freebuf] [FB公开课录像：隐蔽通信（FQ）和侦查取证那些事儿](http://www.freebuf.com/video/40500.html)

- 2014.07 [freebuf] [FreeBuf公开课（直播课程）：隐蔽通信（FQ）和侦查取证那些事儿](http://www.freebuf.com/fevents/39454.html)

- 2014.05 [freebuf] [电子取证之Linux PCI分析](http://www.freebuf.com/articles/system/35490.html)

- 2014.04 [hackingarticles] [Hack MOBILedit Forensic 6.9 Registration (Easy Way)](http://www.hackingarticles.in/hack-mobiledit-forensic-6-9-registration-easy-way/)

- 2014.03 [freebuf] [走进计算机取证分析的神秘世界](http://www.freebuf.com/articles/terminal/29653.html)

- 2014.02 [hackingarticles] [Forensics Investigation of Remote PC (Part 2)](http://www.hackingarticles.in/forensics-investigation-of-remote-pc-part-2/)

- 2014.02 [hackingarticles] [Forensics Investigation of Remote PC (Part 1)](http://www.hackingarticles.in/forensics-investigation-of-remote-pc-part-1/)

- 2014.01 [freebuf] [渗透测试中的冷却启动攻击和其他取证技术](http://www.freebuf.com/articles/system/23409.html)

- 2013.12 [pediy] [[原创]xls文件取证](https://bbs.pediy.com/thread-182739.htm)

- 2013.11 [n0where] [Network Takeover Forensic Analysis: FS-NyarL](https://n0where.net/network-takeover-forensic-analysis-fs-nyarl)

- 2013.05 [sans] [Call for Papers - 4th annual Forensics and Incident Response Summit EU](https://isc.sans.edu/forums/diary/Call+for+Papers+4th+annual+Forensics+and+Incident+Response+Summit+EU/15809/)

- 2013.05 [freebuf] [移动设备取证、恶意软件分析和安全测试套件—Santoku](http://www.freebuf.com/sectool/9280.html)

- 2013.05 [n0where] [Mobile Forensics: Santoku](https://n0where.net/mobile-forensics-santoku)

- 2013.04 [freebuf] [针对取证的GNU/Linux发行版: PALADIN](http://www.freebuf.com/sectool/8232.html)

- 2013.01 [pediy] [[推荐]Android取证和安全测试开放课程](https://bbs.pediy.com/thread-160891.htm)

- 2012.10 [welivesecurity] [PC Support Scams: a Forensic View](https://www.welivesecurity.com/2012/10/30/pc-support-scams-a-forensic-view/)

- 2012.10 [welivesecurity] [Defeating anti-forensics in contemporary complex threats](https://www.welivesecurity.com/2012/10/11/defeating-anti-forensics-in-contemporary-complex-threats/)

- 2012.09 [freebuf] [[更新]GUI界面文件信息取证分析工具-FileInfo V6.0](http://www.freebuf.com/sectool/5740.html)

- 2012.07 [freebuf] [渗透测试、电子取证系统 – Bugtraq-I](http://www.freebuf.com/sectool/5165.html)

- 2012.07 [freebuf] [Iphone取证(一)](http://www.freebuf.com/articles/wireless/5009.html)

- 2012.06 [freebuf] [开源数字调查/取证工具 – Sleuth Kit v4.0.0 Beta1](http://www.freebuf.com/sectool/3097.html)

- 2012.05 [freebuf] [数字取证工具包-SIFT](http://www.freebuf.com/sectool/1315.html)

- 2012.03 [hackingarticles] [Antivirus Forensics Tools](http://www.hackingarticles.in/antivirus-forensics-tools/)

- 2012.02 [hackingarticles] [BFT (Browser Forensic Tool )](http://www.hackingarticles.in/bft-browser-forensic-tool/)

- 2012.01 [rapid7] [Metasploit Updated: Forensics, SCADA, SSH Public Keys, and More](https://blog.rapid7.com/2012/01/19/metasploit-framework-updated/)

- 2012.01 [rapid7] [Adventures in the Windows NT Registry: A step into the world of Forensics and Information Gathering](https://blog.rapid7.com/2012/01/16/adventures-in-the-windows-nt-registry-a-step-into-the-world-of-forensics-and-ig/)

- 2011.11 [hackingarticles] [How to View Windows system reboot Date and Time (Windows Forensics)](http://www.hackingarticles.in/how-to-view-windows-system-reboot-date-and-time-windows-forensics/)

- 2011.09 [sans] [Analyzing Mobile Device Malware - Honeynet Forensic Challenge 9 and Some Tools](https://isc.sans.edu/forums/diary/Analyzing+Mobile+Device+Malware+Honeynet+Forensic+Challenge+9+and+Some+Tools/11521/)

- 2011.09 [hackingarticles] [Find Last Connected USB on your system (USB Forensics)](http://www.hackingarticles.in/find-last-connected-usb-on-your-system-usb-forensics/)

- 2011.09 [hackingarticles] [List of Computer Forensics Tools (Part 1)](http://www.hackingarticles.in/list-of-computer-forensics-tools/)

- 2010.11 [trendmicro] [STUXNET Scanner: A Forensic Tool](https://blog.trendmicro.com/trendlabs-security-intelligence/stuxnet-scanner-a-forensic-tool/)

- 2010.09 [sans] [Quick Forensic Challenge](https://isc.sans.edu/forums/diary/Quick+Forensic+Challenge/9598/)

- 2010.06 [sans] [New Honeynet Project Forensic Challenge](https://isc.sans.edu/forums/diary/New+Honeynet+Project+Forensic+Challenge/8905/)

- 2010.05 [sans] [SANS 2010 Digital Forensics Summit - APT Based Forensic Challenge](https://isc.sans.edu/forums/diary/SANS+2010+Digital+Forensics+Summit+APT+Based+Forensic+Challenge/8839/)

- 2010.05 [sans] [2010 Digital Forensics and Incident Response Summit](https://isc.sans.edu/forums/diary/2010+Digital+Forensics+and+Incident+Response+Summit/8830/)

- 2010.04 [sans] [Network and process forensics toolset](https://isc.sans.edu/forums/diary/Network+and+process+forensics+toolset/8611/)

- 2010.01 [sans] [Forensic challenges](https://isc.sans.edu/forums/diary/Forensic+challenges/8014/)

- 2009.12 [sans] [Anti-forensics, COFEE vs. DECAF](https://isc.sans.edu/forums/diary/Antiforensics+COFEE+vs+DECAF/7741/)

- 2009.08 [sans] [Network Forensics Puzzle Contest](https://isc.sans.edu/forums/diary/Network+Forensics+Puzzle+Contest/6997/)

- 2009.08 [sans] [Forensics: Mounting partitions from full-disk 'dd' images](https://isc.sans.edu/forums/diary/Forensics+Mounting+partitions+from+fulldisk+dd+images/6991/)

- 2009.07 [riusksk] [Windows平台下的监控取证技术](http://riusksk.me/2009/07/07/Windows平台下的监控取证技术/)

- 2009.07 [pediy] [[原创]Windows平台下的取证技术](https://bbs.pediy.com/thread-92786.htm)

- 2008.10 [sans] [Day 19 - Eradication:  Forensic Analysis Tools - What Happened?](https://isc.sans.edu/forums/diary/Day+19+Eradication+Forensic+Analysis+Tools+What+Happened/5200/)

- 2005.05 [sans] [Firefox 1.0.4; DNSSEC Tools; Phisher's benefit use Google link; Viewing Chat Logs; Web Browser Forensics; Gecko Based Browers HTTP Authentication Prompt Vulnerability](https://isc.sans.edu/forums/diary/Firefox+104+DNSSEC+Tools+Phishers+benefit+use+Google+link+Viewing+Chat+Logs+Web+Browser+Forensics+Gecko+Based+Browers+HTTP+Authentication+Prompt+Vulnerability/536/)

***

## Volatility

- 2019.11 [volatility] [Results from the 2019 Volatility Contests are in!](https://volatility-labs.blogspot.com/2019/11/results-from-2019-volatility-contests.html)

- 2019.10 [volatility] [Announcing the Volatility 3 Public Beta!](https://volatility-labs.blogspot.com/2019/10/announcing-volatility-3-public-beta.html)

- 2019.10 [countuponsecurity] [Notes on Linux Memory Analysis – LiME, Volatility and LKM’s](https://countuponsecurity.com/2019/10/14/notes-on-linux-memory-analysis-lime-volatility-and-lkms/)

- 2019.10 [doyler] [BofA Forensics and Volatility for the Win (DerbyCon 9)](https://www.doyler.net/security-not-included/bofa-forensics-derbycon-9-ctf)

- 2019.07 [cristivlad25] [Practical Pentesting - How to do Memory Forensics with Volatility - AttackDefense Labs](https://www.youtube.com/watch?v=epPEA6Cw3_Q)

- 2019.06 [infosecinstitute] [Ransomware analysis with Volatility](https://resources.infosecinstitute.com/ransomware-analysis-with-volatility/)

- 2019.04 [andreafortuna] [How to analyze a VMware memory image with Volatility](https://www.andreafortuna.org/2019/04/03/how-to-analyze-a-vmware-memory-image-with-volatility/)

- 2019.03 [4hou] [基础事件响应中的Volatility工作流程](https://www.4hou.com/web/16598.html)

- 2019.01 [sans] [Mac Memory Analysis with Volatility](https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1493741844.pdf)

- 2019.01 [sans] [Android Mind Reading - Memory Acquisition and Analysis with LiME and Volatility](https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1493741700.pdf)

- 2019.01 [sans] [Volatility Bot](https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1492186622.pdf)

- 2018.11 [volatility] [Results from the 2018 Volatility Contests are in!](https://volatility-labs.blogspot.com/2018/11/results-from-annual-2018-volatility-contests.html)

- 2018.08 [jpcert] [Volatility Plugin for Detecting Cobalt Strike Beacon](https://blog.jpcert.or.jp/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html)

- 2018.07 [aliyun] [利用Volatility进行入侵痕迹分析](https://xz.aliyun.com/t/2497)

- 2018.07 [andreafortuna] [Digital forensics chronicles: image identification issues on large memory dump with Volatility](https://www.andreafortuna.org/dfir/digital-forensics-chronicles-image-identification-issues-on-large-memory-dump-with-volatility/)

- 2018.07 [andreafortuna] [Finding malware on memory dumps using Volatility and Yara rules](https://www.andreafortuna.org/dfir/finding-malware-on-memory-dumps-using-volatility-and-yara-rules/)

- 2018.05 [pentesttoolz] [Linux Screenshot XWindows – Volatility Plugin To Extract X Screenshots From A Memory Dump](https://pentesttoolz.com/2018/05/22/linux-screenshot-xwindows-volatility-plugin-to-extract-x-screenshots-from-a-memory-dump/)

- 2018.05 [volatility] [The 6th Annual Volatility Plugin Contest and the Inaugural Volatility Analysis Contest!](https://volatility-labs.blogspot.com/2018/05/the-6th-annual-volatility-plugin.html)

- 2018.05 [pentestingexperts] [Memory Forensics Investigation using Volatility (Part 1)](http://www.pentestingexperts.com/memory-forensics-investigation-using-volatility-part-1/)

- 2018.05 [cybertriage] [Using Volatility in Cyber Triage to Analyze Memory](https://www.cybertriage.com/2018/using-volatility-in-cyber-triage/)

- 2018.04 [acolyer] [Espresso: brewing Java for more non-volatility with non-volatile memory](https://blog.acolyer.org/2018/04/25/espresso-brewing-java-for-more-non-volatility-with-non-volatile-memory/)

- 2018.03 [broadanalysis] [Guest Blog Post: njRat Analysis with Volatility](http://www.broadanalysis.com/2018/03/25/guest-blog-post-njrat-analysis-with-volatility/)

- 2018.03 [X13Cubed] [Volatility Profiles and Windows 10](https://www.youtube.com/watch?v=Us1gbPqtdtY)

- 2018.01 [cydefe] [Tools 101: Volatility Usage](http://www.cydefe.com/podcast/2018/1/30/tools-101-volatility-usage)

- 2018.01 [hackingarticles] [Memory Forensics Investigation using Volatility (Part 1)](http://www.hackingarticles.in/memory-forensics-investigation-using-volatility-part-1/)

- 2017.12 [360] [如何使用QEMU和Volatility攻击全盘加密的系统](https://www.anquanke.com/post/id/90794/)

- 2017.12 [diablohorn] [使用 qemu 和volatility 攻击加密系统](https://diablohorn.com/2017/12/12/attacking-encrypted-systems-with-qemu-and-volatility/)

- 2017.11 [pentestingexperts] [Stuxnet’s Footprint in Memory with Volatility 2.0](http://www.pentestingexperts.com/stuxnets-footprint-in-memory-with-volatility-2-0/)

- 2017.11 [volatility] [Results from the (5th Annual) 2017 Volatility Plugin Contest are in!](https://volatility-labs.blogspot.com/2017/11/results-from-5th-annual-2017-volatility.html)

- 2017.10 [sans] [Using Yara rules with Volatility ](https://isc.sans.edu/forums/diary/Using+Yara+rules+with+Volatility/22950/)

- 2017.10 [4hou] [使用Volatility检测DoublePulsar](http://www.4hou.com/system/7321.html)

- 2017.08 [shelliscoming] [编写 Volatility 插件，轻松识别内存中的 DoublePulsar SMB implant](http://www.shelliscoming.com/2017/08/doublepulsar-smb-implant-detection-from.html)

- 2017.08 [nextplatform] [The Ironic – And Fleeting – Volatility In NVM Storage](https://www.nextplatform.com/2017/08/14/ironic-fleeting-volatility-nvm-storage/)

- 2017.05 [360] [电子取证技术之实战Volatility工具](https://www.anquanke.com/post/id/86036/)

- 2017.04 [volatility] [The (5th Annual) 2017 Volatility Plugin Contest is Live!](https://volatility-labs.blogspot.com/2017/04/the-5th-annual-2017-volatility-plugin.html)

- 2017.02 [ponderthebits] [OSX (Mac) Memory Acquisition and Analysis Using OSXpmem and Volatility](http://ponderthebits.com/2017/02/osx-mac-memory-acquisition-and-analysis-using-osxpmem-and-volatility/)

- 2017.01 [freebuf] [利用Volatility进行Windows内存取证分析(二)：内核对象、内核池学习小记](http://www.freebuf.com/sectool/124800.html)

- 2017.01 [freebuf] [利用Volatility进行Windows内存取证分析(一)：初体验](http://www.freebuf.com/sectool/124690.html)

- 2016.12 [volatility] [The Release of Volatility 2.6](https://volatility-labs.blogspot.com/2016/12/the-release-of-volatility-26.html)

- 2016.12 [volatility] [Results from the 2016 Volatility Plugin Contest are in!](https://volatility-labs.blogspot.com/2016/12/results-from-2016-volatility-plugin.html)

- 2016.10 [sans] [Volatility Bot: Automated Memory Analysis](https://isc.sans.edu/forums/diary/Volatility+Bot+Automated+Memory+Analysis/21655/)

- 2016.10 [tisiphone] [Using Team Cymru’s MHR with Volatility](https://tisiphone.net/2016/10/27/using-team-cymrus-mhr-with-volatility/)

- 2016.10 [n0where] [Automated Memory Analyzer For Malware Samples: VolatilityBot](https://n0where.net/automated-memory-analyzer-volatilitybot)

- 2016.09 [volatility] [Volatility Update: Core team is growing!](https://volatility-labs.blogspot.com/2016/09/volatility-update-core-team-is-growing.html)

- 2016.09 [cysinfo] [Detecting Malicious Processes Using Psinfo Volatility Plugin](https://cysinfo.com/detecting-malicious-processes-psinfo-volatility-plugin/)

- 2016.09 [cysinfo] [Detecting Deceptive Process Hollowing Techniques Using HollowFind Volatility Plugin](https://cysinfo.com/detecting-deceptive-hollowing-techniques/)

- 2016.08 [linoxide] [How to Setup Volatility Tool for Memory Analysis](https://linoxide.com/linux-how-to/setup-volatility-memory-analysis/)

- 2016.07 [cysinfo] [Linux Memory Diff Analysis using Volatility](https://cysinfo.com/linux-memory-diff-analysis-using-volatility-2/)

- 2016.06 [cysinfo] [Hunting APT RAT 9002 In Memory Using Volatility Plugin](https://cysinfo.com/hunting-apt-rat-9002-in-memory-using-volatility-plugin/)

- 2016.05 [freebuf] [使用VOLATILITY发现高级恶意软件](http://www.freebuf.com/articles/system/104899.html)

- 2016.04 [virusbulletin] [VB2015 paper: VolatilityBot: Malicious Code Extraction Made by and for Security Researchers](https://www.virusbulletin.com/blog/2016/02/vb2015-paper-volatilitybot-malicious-code-extraction-made-and-security-researchers/)

- 2016.04 [holisticinfosec] [toolsmith #115: Volatility Acuity with VolUtility](https://holisticinfosec.blogspot.com/2016/04/toolsmith-115-volatility-acuity-with.html)

- 2016.04 [volatility] [Airbnb Donates $999 to the 2016 Volatility Plugin Contest!](https://volatility-labs.blogspot.com/2016/04/airbnb-donates-999-to-2016-volatility.html)

- 2016.04 [volatility] [The 2016 Volatility Plugin Contest is now live!](https://volatility-labs.blogspot.com/2016/04/the-2016-volatility-plugin-contest-is.html)

- 2016.02 [360] [在windows环境下使用Volatility或PE Capture捕捉执行代码（PE/DLL/驱动恶意文件）](https://www.anquanke.com/post/id/83507/)

- 2016.02 [tribalchicken] [Extracting FileVault 2 Keys with Volatility](https://tribalchicken.io/extracting-filevault-2-keys-with-volatility/)

- 2016.02 [tribalchicken] [Extracting FileVault 2 Keys with Volatility](https://tribalchicken.net/extracting-filevault-2-keys-with-volatility/)

- 2016.02 [govolution] [Memdumps, Volatility, Mimikatz, VMs – Overview](https://govolution.wordpress.com/2016/02/06/memdumps-volatility-mimikatz-vms-overview/)

- 2016.02 [govolution] [Memdumps, Volatility, Mimikatz, VMs – Part 1: Mimikatz & lsass.exe Dump](https://govolution.wordpress.com/2016/02/06/memdumps-volatility-mimikatz-vms-part-1-mimikatz-lsass-exe-dump/)

- 2016.02 [govolution] [Memdumps, Volatility, Mimikatz, VMs – Part 2: Windows 7 Full Memory Dump & Get Hashes](https://govolution.wordpress.com/2016/02/06/memdumps-volatility-mimikatz-vms-part-2-windows-7-full-memory-dump-get-hashes/)

- 2016.02 [govolution] [Memdumps, Volatility, Mimikatz, VMs – Part 3: WinDBG Mimikatz Extension](https://govolution.wordpress.com/2016/02/06/memdumps-volatility-mimikatz-vms-part-3-windbg-mimikatz-extension/)

- 2016.02 [govolution] [Windows Credentials and Memory Dumps – Part 4: Volatility & Mimikatz](https://govolution.wordpress.com/2016/02/06/windows-credentials-and-memory-dumps-part-4-volatility-mimikatz/)

- 2016.02 [govolution] [Memdumps, Volatility, Mimikatz, VMs – Part 6: VMWare Workstation](https://govolution.wordpress.com/2016/02/06/memdumps-volatility-mimikatz-vms-part-6-vmware-workstation/)

- 2016.02 [govolution] [Memdumps, Volatility, Mimikatz, VMs – Part 7: ESXi Server](https://govolution.wordpress.com/2016/02/06/memdumps-volatility-mimikatz-vms-part-7-esxi-server/)

- 2016.02 [govolution] [Memdumps, Volatility, Mimikatz, VMs – Part 8: ESXi Attacking Scenario – Volatility on ESXi](https://govolution.wordpress.com/2016/02/06/memdumps-volatility-mimikatz-vms-part-8-esxi-attacking-scenario-volatility-on-esxi/)

- 2016.02 [govolution] [Memdumps, Volatility, Mimikatz, VMs – Part 9: Logging & Monitoring ESXi](https://govolution.wordpress.com/2016/02/06/memdumps-volatility-mimikatz-vms-part-9-logging-monitoring-esxi/)

- 2016.01 [sans] [Some useful volatility plugins ](https://isc.sans.edu/forums/diary/Some+useful+volatility+plugins/20623/)

- 2016.01 [metabrik] [Malware analysis with VM instrumentation, WMI, winexe, Volatility and Metabrik](https://www.metabrik.org/blog/2016/01/09/malware-analysis-with-vm-instrumentation-wmi-winexe-volatility-and-metabrik/)

- 2015.11 [volatility] [Guest Post: Martin Korman (VolatilityBot - An Automated Malicious Code Dumper)](https://volatility-labs.blogspot.com/2015/11/guest-post-martin-korman-volatilitybot.html)

- 2015.11 [tribalchicken] [Extracting BitLocker keys with Volatility (PoC)](https://tribalchicken.io/extracting-bitlocker-keys-with-volatility-part-1-poc/)

- 2015.11 [tribalchicken] [Extracting BitLocker keys with Volatility (PoC)](https://tribalchicken.net/extracting-bitlocker-keys-with-volatility-part-1-poc/)

- 2015.11 [secist] [调查取证之Volatility框架的使用](http://www.secist.com/archives/2082.html)

- 2015.11 [n0where] [Volatile Memory Extraction: The Volatility Framework](https://n0where.net/volatile-memory-extraction)

- 2015.11 [volatility] [PlugX: Memory Forensics Lifecycle with Volatility](https://volatility-labs.blogspot.com/2015/11/plugx-memory-forensics-lifecycle-with.html)

- 2015.10 [volatility] [Results from the 2015 Volatility Plugin Contest are in!](https://volatility-labs.blogspot.com/2015/10/results-from-2015-volatility-plugin.html)

- 2015.10 [autopsy] [The Volatility team talks proactive threat hunting with memory forensics (an OSDFCon presentation)](https://www.autopsy.com/the-volatility-team-talks-proactive-threat-hunting-with-memory-forensics-an-osdfcon-presentation/)

- 2015.10 [angelalonso] [Android Memory Analysis (II) - Extracting the memory and analyzing with Volatility](http://blog.angelalonso.es/2015/10/android-memory-analysis-analyzing.html)

- 2015.09 [airbuscybersecurity] [Volatility plugin for PlugX updated](http://blog.airbuscybersecurity.com/post/2015/08/Volatility-plugin-for-PlugX-updated)

- 2015.08 [volatility] [Volatility Updates Summer 2015](https://volatility-labs.blogspot.com/2015/08/volatility-updates-summer-2015.html)

- 2015.07 [volatility] [The 2015 Volatility Plugin contest is now live!](https://volatility-labs.blogspot.com/2015/07/the-2015-volatility-plugin-contest-is.html)

- 2015.07 [volatility] [Volatility at Black Hat USA & DFRWS 2015!](https://volatility-labs.blogspot.com/2015/07/volatility-at-black-hat-usa-dfrws-2015.html)

- 2015.02 [kudelskisecurity] [Volatility plugin for Dyre](https://research.kudelskisecurity.com/2015/02/11/volatility-plugin-for-dyre/)

- 2014.12 [sans] [Some Memory Forensic with Forensic Suite (Volatility plugins)](https://isc.sans.edu/forums/diary/Some+Memory+Forensic+with+Forensic+Suite+Volatility+plugins/19071/)

- 2014.10 [volatility] [Announcing the 2014 Volatility Plugin Contest Results!](https://volatility-labs.blogspot.com/2014/10/announcing-2014-volatility-plugin.html)

- 2014.09 [volatility] [The Volatility Foundation: Fighting for Open Source Forensics](https://volatility-labs.blogspot.com/2014/09/the-volatility-foundation-fighting-for.html)

- 2014.09 [volatility] [Volatility 2.4 at Blackhat Arsenal - Defeating Truecrypt Disk Encryption](https://volatility-labs.blogspot.com/2014/09/volatility-24-at-blackhat-arsenal.html)

- 2014.09 [volatility] [Facebook Donation Doubles the Volatility Plugin Contest Prizes](https://volatility-labs.blogspot.com/2014/09/facebook-donation-doubles-volatility.html)

- 2014.09 [volatility] [Heads Up! 2014 Volatility Plugin Contest Deadline Extended!](https://volatility-labs.blogspot.com/2014/09/heads-up-2014-volatility-plugin-contest.html)

- 2014.08 [volatility] [Volatility 2.4 at Blackhat Arsenal - Reverse Engineering Rootkits](https://volatility-labs.blogspot.com/2014/08/volatility-24-at-blackhat-arsenal.html)

- 2014.08 [] [Forensic FOSS: 4n6k_volatility_installer.sh - Install Volatility For Linux Automatically](http://www.4n6k.com/2014/08/forensic-foss-4n6kvolatilityinstallersh.html)

- 2014.08 [volatility] [Volatility 2.4 at Blackhat Arsenal - Tracking Mac OS X User Activity](https://volatility-labs.blogspot.com/2014/08/volatility-24-at-blackhat-arsenal_21.html)

- 2014.08 [toolswatch] [Volatility v2.4 – Art of Memory Forensics Released](http://www.toolswatch.org/2014/08/volatility-v2-4-art-of-memory-forensics-released/)

- 2014.08 [volatility] [New Volatility 2.4 Cheet Sheet with Linux, Mac, and RTFM](https://volatility-labs.blogspot.com/2014/08/new-volatility-24-cheet-sheet-with.html)

- 2014.08 [volatility] [Presenting Volatility Foundation Volatility Framework 2.4](https://volatility-labs.blogspot.com/2014/08/presenting-volatility-foundation.html)

- 2014.07 [volatility] [Volatility at Black Hat USA & DFRWS 2014](https://volatility-labs.blogspot.com/2014/07/volatility-at-black-hat-usa-dfrws-2014.html)

- 2014.05 [volatility] [Volatility - Update All The Things](https://volatility-labs.blogspot.com/2014/05/volatility-update-all-things.html)

- 2014.04 [volatility] [Volatility Memory Forensics and Malware Analysis Training in Australia!](https://volatility-labs.blogspot.com/2014/04/volatility-memory-forensics-and-malware.html)

- 2014.03 [reverse] [Teaching Rex another TrustedBSD trick to hide from Volatility](https://reverse.put.as/2014/03/18/teaching-rex-another-trustedbsd-trick-to-hide-from-volatility/)

- 2014.03 [mcafee] [Timeline of Bitcoin Events Demonstrates Online Currency’s Volatility](https://securingtomorrow.mcafee.com/mcafee-labs/timeline-bitcoin-events-demonstrates-volatility/)

- 2014.02 [freebuf] [利用Volatility查找系统中的恶意DLL](http://www.freebuf.com/articles/system/26936.html)

- 2014.02 [freebuf] [Linux下内存取证工具Volatility的使用](http://www.freebuf.com/articles/system/26763.html)

- 2014.02 [volatility] [Training by The Volatility Project Now Available In Three Continents!](https://volatility-labs.blogspot.com/2014/02/training-by-volatility-project-now.html)

- 2013.11 [holisticinfosec] [Volatility 2.3 and FireEye's diskless, memory-only Trojan.APT.9002](https://holisticinfosec.blogspot.com/2013/11/volatility-23-and-fireeyes-diskless.html)

- 2013.11 [toolswatch] [Volatility The advanced memory forensics framework v2.3 available (Support of OSX)](http://www.toolswatch.org/2013/11/volatility-the-advanced-memory-forensics-framework-v2-3-available-support-of-osx/)

- 2013.10 [volatility] [Volatility 2.3 Released! (Official Mac OS X and Android Support)](https://volatility-labs.blogspot.com/2013/10/volatility-23-released-official-mac-os.html)

- 2013.09 [volatility] [Leveraging CybOX with Volatility](https://volatility-labs.blogspot.com/2013/09/leveraging-cybox-with-volatility.html)

- 2013.08 [quequero] [Quick Volatility overview and R.E. analysis of Win32.Chebri](https://quequero.org/2013/08/quick-volatility-overview-and-r-e-analysis-of-win32-chebri/)

- 2013.08 [volatility] [Results are in for the 1st Annual Volatility Framework Plugin Contest!](https://volatility-labs.blogspot.com/2013/08/results-are-in-for-1st-annual.html)

- 2013.06 [sans] [Volatility rules...any questions?](https://isc.sans.edu/forums/diary/Volatility+rulesany+questions/16022/)

- 2013.06 [volatility] [MOVP II - 4.5 - Mac Volatility vs the Rubilyn Kernel Rootkit](https://volatility-labs.blogspot.com/2013/06/movp-ii-45-mac-volatility-vs-rubilyn.html)

- 2013.05 [volatility] [Automated Volatility Plugin Generation with Dalvik Inspector](https://volatility-labs.blogspot.com/2013/05/automated-volatility-plugin-generation.html)

- 2013.05 [securityintelligence] [Zeus Analysis – Memory Forensics via Volatility](https://securityintelligence.com/zeus-analysis-memory-forensics-via-volatility/)

- 2013.05 [volatility] [MoVP II - 2.3 - Creating Timelines with Volatility](https://volatility-labs.blogspot.com/2013/05/movp-ii-23-creating-timelines-with.html)

- 2013.05 [volatility] [MOVP II - 1.5 - ARM Address Space (Volatility and Android / Mobile)](https://volatility-labs.blogspot.com/2013/05/movp-ii-15-arm-address-space-volatility.html)

- 2013.05 [volatility] [What's Happening in the World of Volatility?](https://volatility-labs.blogspot.com/2013/05/whats-happening-in-world-of-volatility.html)

- 2013.04 [cyberarms] [Volatility Memory Analysis Article Featured in eForensics Magazine](https://cyberarms.wordpress.com/2013/04/02/volatility-memory-analysis-article-featured-in-eforensics-magazine/)

- 2013.03 [volatility] [Official Training by Volatility - Reston/VA, June 2013](https://volatility-labs.blogspot.com/2013/03/official-training-by-volatility.html)

- 2013.01 [theevilbit] [Backtrack Forensics: Memory analysis with volatility](http://theevilbit.blogspot.com/2013/01/backtrack-forensics-memory-analysis.html)

- 2013.01 [volatility] [The 1st Annual Volatility Framework Plugin Contest](https://volatility-labs.blogspot.com/2013/01/the-1st-annual-volatility-framework.html)

- 2013.01 [hackingarticles] [Volatility – An advanced memory forensics framework](http://www.hackingarticles.in/volatility-an-advanced-memory-forensics-framework/)

- 2012.12 [volatility] [What do Upclicker, Poison Ivy, Cuckoo, and Volatility Have in Common?](https://volatility-labs.blogspot.com/2012/12/what-do-upclicker-poison-ivy-cuckoo-and.html)

- 2012.12 [securityartwork] [New MFTParser plugin in the alpha version of Volatility](https://www.securityartwork.es/2012/12/18/new-mftparser-plugin-in-the-alpha-version-of-volatility/)

- 2012.11 [volatility] [Windows Memory Forensics Training for Analysts by Volatility Developers](https://volatility-labs.blogspot.com/2012/11/windows-memory-forensics-training-for.html)

- 2012.10 [volatility] [OMFW 2012: Analyzing Linux Kernel Rootkits with Volatility](https://volatility-labs.blogspot.com/2012/10/omfw-2012-analyzing-linux-kernel.html)

- 2012.10 [volatility] [MoVP for Volatility 2.2 and OMFW 2012 Wrap-Up](https://volatility-labs.blogspot.com/2012/10/movp-for-volatility-22-and-omfw-2012.html)

- 2012.10 [volatility] [Solving the GrrCon Network Forensics Challenge with Volatility](https://volatility-labs.blogspot.com/2012/10/solving-grrcon-network-forensics.html)

- 2012.10 [volatility] [Phalanx 2 Revealed: Using Volatility to Analyze an Advanced Linux Rootkit](https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html)

- 2012.09 [volatility] [MoVP 3.5: Analyzing the 2008 DFRWS Challenge with Volatility](https://volatility-labs.blogspot.com/2012/09/movp-35-analyzing-2008-dfrws-challenge.html)

- 2012.09 [volatility] [MoVP 2.5: Investigating In-Memory Network Data with Volatility](https://volatility-labs.blogspot.com/2012/09/movp-25-investigating-in-memory-network.html)

- 2012.09 [sans] [Volatility: 2.2 is Coming Soon](https://isc.sans.edu/forums/diary/Volatility+22+is+Coming+Soon/14125/)

- 2012.09 [volatility] [Month of Volatility Plugins (MoVP)](https://volatility-labs.blogspot.com/2012/09/month-of-volatility-plugins-movp.html)

- 2012.08 [sans] [Digital Forensics Case Leads: Identifying TrueCrypt volumes with Volatility, Malware that can sneak into VM's and more....](https://digital-forensics.sans.org/blog/2012/08/24/digital-forensics-case-leads-identifying-truecrypt-volumes-with-volatility-malware-that-can-sneak-into-vms-and-more)

- 2012.08 [sans] [Digital Forensics Case Leads: Multi-plat RAT, No US Cybersecurity bill, Dropbox drops a doozie, Volatility everywhere](https://digital-forensics.sans.org/blog/2012/08/03/digital-forensics-case-leads-multi-plat-rat-no-us-cybersecurity-bill-dropbox-drops-a-doozie-volatility-everywhere)

- 2012.07 [sans] [Digital Forensics Case Leads: Skype acting weird, Mircosoft backdooring Skype! Volatility with x64 support... Facebook censoring chats for criminal activities!? A Russian hacker challenge Apple by bypassing Apple Store authentication mechanism and get apps for free!!! All that and more, this week on Case Leadsâ¦](https://digital-forensics.sans.org/blog/2012/07/21/digital-forensics-case-leads-skype-acting-weird-mircosoft-backdooring-skype-volatility-with-x64-support-facebook-censoring-chats-for-criminal-activities-a-russian-hacker-challenge-apple-by-byp)

- 2012.04 [hiddenillusion] [YARA + Volatility ... the beginning](http://hiddenillusion.blogspot.com/2012/04/yara-volatility-beginning.html)

- 2012.03 [hiddenillusion] [Making Volatility work for you](http://hiddenillusion.blogspot.com/2012/03/making-volatility-work-for-you.html)

- 2011.10 [quequero] [Shylock via volatility](https://quequero.org/2011/10/shylock-via-volatility/)

- 2011.09 [holisticinfosec] [toolsmith: Memory Analysis with DumpIt and Volatility](https://holisticinfosec.blogspot.com/2011/09/toolsmith-memory-analysis-with-dumpit.html)

- 2011.08 [sans] [Digital Forensics Case Leads: SIFT 2.1, Volatility 2.0](https://digital-forensics.sans.org/blog/2011/08/04/digital-forensics-case-leads-8-4-11)

- 2011.02 [toolswatch] [Volatility The advanced memory forensics framework v1.4 released](http://www.toolswatch.org/2011/02/volatility-the-advanced-memory-forensics-framework-v1-4-released/)

- 2011.01 [sans] [A Quick Look at Volatility 1.4 RC1 - What's New?](https://digital-forensics.sans.org/blog/2011/01/13/whats-new-volatility-1-4)

- 2010.05 [holisticinfosec] [Memory forensics with SIFT 2.0, Volatility, and PTK](https://holisticinfosec.blogspot.com/2010/05/memory-forensics-with-sift-20.html)

- 2010.02 [sans] [Digital Forensics Case Leads: Volatility and RegRipper, Better Together](https://digital-forensics.sans.org/blog/2010/02/18/digital-forensics-case-leads-volatility-and-regripper-better-together)

- 2009.07 [sans] [New Volatility plugins](https://isc.sans.edu/forums/diary/New+Volatility+plugins/6862/)

- 2009.05 [sans] [More new volatility plugins](https://isc.sans.edu/forums/diary/More+new+volatility+plugins/6475/)

- 2009.04 [windowsir] [New Volatility Plugins](http://windowsir.blogspot.com/2009/04/new-volatility-plugins.html)

- 2009.03 [moyix] [Using Volatility for Introspection](http://moyix.blogspot.com/2009/03/using-volatility-for-introspection.html)

- 2009.03 [moyix] [RegRipper and Volatility Prototype](http://moyix.blogspot.com/2009/03/regripper-and-volatility-prototype.html)

- 2008.08 [windowsir] [Volatility 1.3 is out!](http://windowsir.blogspot.com/2008/08/volatility-13-is-out.html)

- 2008.08 [moyix] [Volatility 1.3 is out!](http://moyix.blogspot.com/2008/08/volatility-13-is-out.html)

***

## Sleuthkit

- 2018.10 [insinuator] [Comparison of our tool afro (APFS file recovery) with Blackbag Blacklight and Sleuthkit](https://insinuator.net/2018/10/comparison-of-our-tool-afro-apfs-file-recovery-with-blackbag-blacklight-and-sleuthkit/)

- 2011.10 [sans] [Digital Forensics Case Leads:  Passwords in Wills, Google Chrome a Virus, Cybercrime Unit Saving Money and Updates for Sleuthkit and SSDeep.](https://digital-forensics.sans.org/blog/2011/10/14/digital-forensics-case-leads-passwords-in-wills-google-chrome-a-virus-cybercrime-unit-saving-money-and-updates-for-sleuthkit-and-ssdeep)

- 2011.09 [sans] [Shadow Timelines And Other VolumeShadowCopy Digital Forensics Techniques with the Sleuthkit on Windows](https://digital-forensics.sans.org/blog/2011/09/16/shadow-timelines-and-other-shadowvolumecopy-digital-forensics-techniques-with-the-sleuthkit-on-windows)

- 2005.10 [windowsir] [Sleuthkit on Windows](http://windowsir.blogspot.com/2005/10/sleuthkit-on-windows.html)

***

## Rekall

- 2019.01 [4hou] [借助Rekall进行内存实时分析](http://www.4hou.com/technology/15483.html)

- 2019.01 [sans] [Rekall Memory Forensics](https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1493740529.pdf)

- 2018.12 [ironcastle] [Live memory analysis using Rekall, (Tue, Dec 25th)](https://www.ironcastle.net/live-memory-analysis-using-rekall-tue-dec-25th/)

- 2018.12 [sans] [Live memory analysis using Rekall](https://isc.sans.edu/forums/diary/Live+memory+analysis+using+Rekall/24454/)

- 2018.01 [rekall] [ELF hacking with Rekall](http://blog.rekall-forensic.com/2018/01/elf-hacking-with-rekall.html)

- 2017.08 [rekall] [Rekall Agent Alpha launch](http://blog.rekall-forensic.com/2017/08/rekall-agent-alpha-launch.html)

- 2017.07 [insinuator] [Release of Glibc Heap Analysis Plugins for Rekall](https://insinuator.net/2017/07/release-of-glibc-heap-analysis-plugins-for-rekall/)

- 2016.10 [rekall] [The Rekall Agent Whitepaper](http://blog.rekall-forensic.com/2016/10/the-rekall-agent-whitepaper.html)

- 2015.11 [toolswatch] [Rekall The Memory Forensic Framework](http://www.toolswatch.org/2015/11/rekall-the-memory-forensic-framework/)

- 2015.10 [holisticinfosec] [toolsmith #109: CapLoader network carving from Rekall WinPmem Memory Image](https://holisticinfosec.blogspot.com/2015/10/toolsmith-109-caploader-network-carving.html)

- 2015.05 [holisticinfosec] [toolsmith: Attack & Detection: Hunting in-memory adversaries with Rekall and WinPmem](https://holisticinfosec.blogspot.com/2015/05/toolsmith-attack-detection-hunting-in.html)

- 2015.02 [n0where] [Rekall Memory Forensic Framework](https://n0where.net/rekall-memory-forensic-framework)

- 2014.03 [sans] [Linux Memory Dump with Rekall](https://isc.sans.edu/forums/diary/Linux+Memory+Dump+with+Rekall/17775/)

# 工具

***

## 新添加

- [**5208**星][7m] [Py] [usarmyresearchlab/dshell](https://github.com/usarmyresearchlab/dshell) 可扩展的网络取证分析框架。支持快速开发插件，以支持剖析网络数据包捕获。

- [**3337**星][11d] [Py] [google/grr](https://github.com/google/grr) remote live forensics for incident response

- [**1912**星][13d] [Shell] [toniblyx/prowler](https://github.com/toniblyx/prowler) AWS Security Best Practices Assessment, Auditing, Hardening and Forensics Readiness Tool. It follows guidelines of the CIS Amazon Web Services Foundations Benchmark and DOZENS of additional checks including GDPR and HIPAA (+100). Official CIS for AWS guide:

- [**1227**星][12d] [Py] [google/timesketch](https://github.com/google/timesketch) Collaborative forensic timeline analysis

- [**1155**星][4m] [Go] [mozilla/mig](https://github.com/mozilla/mig) 分布式实时数字取证和研究平台

- [**1024**星][13d] [Py] [ondyari/faceforensics](https://github.com/ondyari/faceforensics) Github of the FaceForensics dataset

- [**1017**星][12d] [Rich Text Format] [decalage2/oletools](https://github.com/decalage2/oletools)  python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.

- [**949**星][2y] [C#] [invoke-ir/powerforensics](https://github.com/invoke-ir/powerforensics) PowerForensics provides an all in one platform for live disk forensic analysis

- [**883**星][2m] [C] [cisco/joy](https://github.com/cisco/joy) 捕获和分析网络流数据和intraflow数据，用于网络研究、取证和安全监视

- [**832**星][27d] [Py] [yampelo/beagle](https://github.com/yampelo/beagle)  an incident response and digital forensics tool which transforms security logs and data into graphs.

- [**791**星][4m] [Py] [srinivas11789/pcapxray](https://github.com/srinivas11789/pcapxray) 网络取证工具：离线将捕获数据包可视化为网络图，包括设备标识，突出显示重要的通信和文件提取

- [**762**星][2m] [Py] [snovvcrash/usbrip](https://github.com/snovvcrash/usbrip) Simple CLI forensics tool for tracking USB device artifacts (history of USB events) on GNU/Linux

- [**544**星][1m] [Go] [biggiesmallsag/nighthawkresponse](https://github.com/biggiesmallsag/nighthawkresponse) Incident Response Forensic Framework

- [**485**星][26d] [Py] [netflix-skunkworks/diffy](https://github.com/netflix-skunkworks/diffy) a triage tool used during cloud-centric security incidents, to help digital forensics and incident response (DFIR) teams quickly identify suspicious hosts on which to focus their response.

- [**429**星][3m] [Py] [obsidianforensics/hindsight](https://github.com/obsidianforensics/hindsight) Internet history forensics for Google Chrome/Chromium

- [**419**星][20d] [Py] [forensicartifacts/artifacts](https://github.com/forensicartifacts/artifacts) Digital Forensics Artifact Repository

- [**395**星][2y] [PS] [cryps1s/darksurgeon](https://github.com/cryps1s/darksurgeon) a Windows packer project to empower incident response, digital forensics, malware analysis, and network defense.

- [**392**星][11m] [Go] [mozilla/masche](https://github.com/mozilla/masche) MIG Memory Forensic library

- [**381**星][5y] [JS] [le4f/pcap-analyzer](https://github.com/le4f/pcap-analyzer) 在线轻量Pcap流量文件分析工具

- [**349**星][3m] [Shell] [orlikoski/skadi](https://github.com/orlikoski/Skadi) collection, processing and advanced analysis of forensic artifacts and images.

- [**324**星][11m] [Py] [alessandroz/lazagneforensic](https://github.com/alessandroz/lazagneforensic) Windows passwords decryption from dump files

- [**320**星][2y] [C] [fireeye/rvmi](https://github.com/fireeye/rvmi) steroids 调试器，利用 VMI（Virtual Machine Introspection） 和内存取证来提供全面的系统分析

- [**316**星][12d] [Py] [google/turbinia](https://github.com/google/turbinia) Automation and Scaling of Digital Forensics Tools

- [**303**星][2m] [Shell] [vitaly-kamluk/bitscout](https://github.com/vitaly-kamluk/bitscout) 远程数据取证工具

- [**295**星][3y] [invoke-ir/forensicposters](https://github.com/invoke-ir/forensicposters) 多种数据结构图解：MBR/GPT/...

- [**274**星][13d] [Perl] [owasp/o-saft](https://github.com/owasp/o-saft) OWASP SSL advanced forensic tool

- [**268**星][3y] [Py] [ghirensics/ghiro](https://github.com/ghirensics/ghiro) Automated image forensics tool

- [**263**星][7m] [Batchfile] [diogo-fernan/ir-rescue](https://github.com/diogo-fernan/ir-rescue) A Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.

- [**260**星][1m] [Py] [google/docker-explorer](https://github.com/google/docker-explorer) A tool to help forensicate offline docker acquisitions

- [**252**星][1y] [C++] [comaeio/swishdbgext](https://github.com/comaeio/SwishDbgExt) Incident Response & Digital Forensics Debugging Extension

- [**247**星][1m] [Py] [orlikoski/cdqr](https://github.com/orlikoski/CDQR) a fast and easy to use forensic artifact parsing tool that works on disk images, mounted drives and extracted artifacts from Windows, Linux, MacOS, and Android devices

- [**245**星][1y] [Py] [crowdstrike/forensics](https://github.com/crowdstrike/forensics) Scripts and code referenced in CrowdStrike blog posts

- [**233**星][2m] [C] [elfmaster/libelfmaster](https://github.com/elfmaster/libelfmaster) Secure ELF parsing/loading library for forensics reconstruction of malware, and robust reverse engineering tools

- [**225**星][3m] [Py] [crowdstrike/automactc](https://github.com/crowdstrike/automactc) Automated Mac Forensic Triage Collector

- [**224**星][4y] [Java] [nowsecure/android-forensics](https://github.com/nowsecure/android-forensics) Open source Android Forensics app and framework

- [**213**星][2y] [C#] [shanek2/invtero.net](https://github.com/shanek2/invtero.net) A high speed (Gbps) Forensics, Memory integrity & assurance. Includes offensive & defensive memory capabilities. Find/Extract processes, hypervisors (including nested) in memory dumps using microarchitechture independent Virtual Machiene Introspection techniques

- [**202**星][11m] [Py] [medbenali/cyberscan](https://github.com/medbenali/cyberscan) Network's Forensics ToolKit

- [**191**星][2m] [Py] [lazza/recuperabit](https://github.com/lazza/recuperabit) A tool for forensic file system reconstruction.

- [**177**星][11d] [Py] [markbaggett/srum-dump](https://github.com/markbaggett/srum-dump) A forensics tool to convert the data in the Windows srum (System Resource Usage Monitor) database to an xlsx spreadsheet.

- [**176**星][4y] [Py] [csababarta/ntdsxtract](https://github.com/csababarta/ntdsxtract) Active Directory forensic framework

- [**168**星][2y] [Py] [monrocoury/forensic-tools](https://github.com/monrocoury/forensic-tools) A collection of tools for forensic analysis

- [**162**星][6m] [Py] [cvandeplas/elk-forensics](https://github.com/cvandeplas/elk-forensics) ELK configuration files for Forensic Analysts and Incident Handlers (unmaintained)

- [**162**星][2m] [C++] [gregwar/fatcat](https://github.com/gregwar/fatcat) FAT filesystems explore, extract, repair, and forensic tool

- [**158**星][2m] [Py] [travisfoley/dfirtriage](https://github.com/travisfoley/dfirtriage) Digital forensic acquisition tool for Windows based incident response.

- [**154**星][9m] [Py] [vikwin/pcapfex](https://github.com/vikwin/pcapfex) 'Packet Capture Forensic Evidence eXtractor' is a tool that finds and extracts files from packet capture files

- [**150**星][4m] [Py] [stuhli/dfirtrack](https://github.com/stuhli/dfirtrack) �