DFIR Tooling
🛠️

DFIR Tooling

NameSiteTagsPricingDescription
💾
AccessData FTK Imager
disk image creationlive memory acquisition
Free
Forensics tool whose main purpose is to preview recoverable data from a disk of any kind. FTK Imager can also acquire live memory and paging file on 32bit and 64bit systems.
🗃️
AChoir
artifact collectionwindowsacquisition
Free
Framework/scripting tool to standardize and simplify the process of scripting live acquisition utilities for Windows.
🤖
AMAaaS
sandboxapk analysisandroidsaas
Free
Android Malware Analysis as a Service, executed in a native Android environment.
anlyz.io
file analysisurl analysissaas
Free
Malware sandbox to analyze file and url with a main dashboard and search features!
Any Run
sandboxsaas
FreeCommercial
Malware hunting with live access to the heart of an incident Watch the epidemic as if it was on your computer, but in a more convenient and secure way, with a variety of monitoring features.
🗃️
AppCompatProcessor
logparsingosxlinux
FreeBeta
AppCompatProcessor has been designed to extract additional value from enterprise-wide AppCompat / AmCache data beyond the classic stacking and grepping techniques.
⚙️
Appliance for Digital Investigation and Analysis (ADIA)
linux distributionall-in-oneforensics
Free
VMware-based appliance used for digital investigation and acquisition and is built entirely from public domain software. Among the tools contained in ADIA are Autopsy, the Sleuth Kit, the Digital Forensics Framework, log2timeline, Xplico, and Wireshark. Most of the system maintenance uses Webmin. It is designed for small-to-medium sized digital investigations and acquisitions. The appliance runs under Linux, Windows, and Mac OS. Both i386 (32-bit) and x86_64 (64-bit) versions are available.
🦹🏼
APTSimulator
adversary emulation
Free
APT Simulator is a Windows Batch script that uses a set of tools and output files to make a system look as if it was compromised. In contrast to other adversary simulation tools, APT Simulator is deisgned to make the application as simple as possible. You don't need to run a web server, database or any agents on set of virtual machines. Just download the prepared archive, extract and run the contained Batch file as Administrator. Running APT Simulator takes less than a minute of your time.
🗃️
artifactcollector
artifact collection
Free
The artifactcollector project provides a software that collects forensic artifacts on systems. These artifacts can be used in forensic investigations to understand attacker behavior on compromised computers.
🦹🏼
Atomic Red Team
adversary emulation
Free
Atomic Red Team allows every security team to test their controls by executing simple "atomic tests" that exercise the same techniques used by adversaries (all mapped to Mitre's ATT&CK).
⚖️
ATT&CK Evaluations
solutions evaluations
Free
🦹🏼
ATT&CK Simulator
adversary emulation
Free
This project provides a set of tooling for repeatedly executing and detecting adversary techniques.
🦹🏼
Attack Data by Splunk
adversary emulationsplunk
Free
A Repository of curated datasets from various attacks to: - Easily develop detections without having to build an environment from scratch or simulate an attack. - Test detections, specifically Splunks Security Content - Replay/inject into streaming pipelines for validating your detections in your production SIEM
🎫
Aurora Incident Response
reportingsirp
Free
Incident Response Documentation made easy. Developed by Incident Responders for Incident Responders. Aurora brings "Spreadsheet of Doom" used in the SANS FOR508 class to the next level. Having led many cases and taught so many students how to do IR right, I realized, that many struggle with keeping control over all the findings. That does not only prevent them from seeing what they already have, but even less so what they are missing.
🔍
Autopsy
all-in-oneforensicsanalyticsartifact collectionartifact analysis
Free
Autopsy® is an easy to use, GUI-based program that allows you to efficiently analyze hard drives and smart phones. It has a plug-in architecture that allows you to find add-on modules or develop custom modules in Java or Python.
🦹🏼
AutoTTP
adversary emulation
Free
Automated Tactics Techniques & Procedures. Re-running complex sequences manually for regression tests, product evaluations, generate data for researchers & so on can be tedious. I toyed with the idea of making it easier to script Empire (or any frameworks/products/toolkits that provide APIs like Metasploit (RPC), Cobalt-Strike & so on) using IDE like Visual Studio Code (or equivalent). So I started to design AutoTTP. This is still very much work in progress. Test with Empire 2.2.
💾
AVML
live memory acquisitionlinux
Free
A portable volatile memory acquisition tool for Linux.
🔍
Belkasoft Evidence Center X
all-in-oneforensics
Commercial
The toolkit will quickly extract digital evidence from multiple sources by analyzing hard drives, drive images, memory dumps, iOS, Blackberry and Android backups, UFED, JTAG and chip-off dumps.
💾
Belkasoft Live RAM Capturer
live memory acquisitionwindows
Free
Tiny free forensic tool to reliably extract the entire content of the computer’s volatile memory – even if protected by an active anti-debugging or anti-dumping system.
💾
Bitscout
disk image creation
Free
Bitscout is customizable live OS constructor tool written entirely in bash. It's main purpose is to help you quickly create own remote forensics bootable disk image.
🦹🏼
Blue Team Training Toolkit (BT3)
adversary emulation
Free
Blue Team Training Toolkit (BT3) is software for defensive security training, which will bring your network analysis training sessions, incident response drills and red team engagements to a new level. BT3 has been created by Juan J. Güelfo, security expert and founder of Encripto.
🗃️
bulk_extractor
artifact collection
Free
Computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. Because of ignoring the file system structure, the program distinguishes itself in terms of speed and thoroughness.
💾
Cado Cloud Collector
acquisitioncloudawsec2instance imaging
Free
Cado Cloud Collector is a free solution to make forensic imaging of AWS EC2 instances a whole lot easier.
💾
Cado Host
acquisitioncloudinstance imagingartifact collection
Free
Cado Host is a solution to acquire forensic artefacts from systems, into cloud storage. This enables you to perform a quick triage investigation of the target system.
💾
Cado Live
acquisitionclouddisk image creationinstance imaging
Free
Cado Live is an all in one solution to forensically image local system drives into the cloud.
🦹🏼
Caldera
adversary emulation
Free
Full documentation, training and use-cases can be found here. CALDERA™ is a cyber security framework designed to easily run autonomous breach-and-simulation exercises. It can also be used to run manual red-team engagements or automated incident response. It is built on the MITRE ATT&CK™ framework and is an active research project at MITRE.
CAPEv2
sandboxmalware analysis
Free
CAPE is a malware sandbox. It is derived from Cuckoo and is designed to automate the process of malware analysis with the goal of extracting payloads and configuration from malware. This allows CAPE to detect malware based on payload signatures, as well as automating many of the goals of malware reverse engineering and threat intelligence.
🦹🏼‍♂️
Chain Reactor
adversary emulation
Free
Red Canary is launching a new open source framework for composing executables that simulate adversary behaviors and techniques on Linux endpoints.
🗃️
Cold Disk Quick Response
artifact collection
Free
Streamlined list of parsers to quickly analyze a forensic image file (dd, E01, .vmdk, etc) and output nine reports.
⚙️
Computer Aided INvestigative Environment (CAINE)
linux distributionforensicsall-in-one
Free
CAINE (Computer Aided INvestigative Environment) is an Italian GNU/Linux live distribution created as a Digital Forensics project. Currently the project manager is Nanni Bassetti (Bari - Italy). Contains numerous tools that help investigators during their analysis, including forensic evidence collection. CAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface.
🔎
Cortex (TheHive Project)
cyber threat intelligence
Free
Cortex tries to solve a common problem frequently encountered by SOCs, CSIRTs and security researchers in the course of threat intelligence, digital forensics and incident response: how to analyze observables they have collected, at scale, by querying a single tool instead of several?
🎫
Cortex XSOAR (Demisto )
soarsirp
Commercial
Palo Alto security orchestration, automation and response platform with full Incident lifecycle management and many integrations to enhance automations.
🍎
Crescendo
osxevent viewer
Free
Crescendo is a real time event viewer for macOS that uses the ESF to show process executions and forks, file events, share mounting events, kernel extension loads, and IPC event data. ESF provides a vast amount of data, but the goal was to just pick out the things that analysts would be interested in when analyzing a piece of malware or trying to understand how a process (or component) works. Just the right amount of data without being a firehose of events to the user : https://www.fireeye.com/blog/threat-research/2020/03/crescendo-real-time-event-viewer-for-macos.html
🦠
Crits
cyber threat intelligenceanalytics
Free
Web-based tool which combines an analytic engine with a cyber threat database.
🗃️
Crowd Response
artifact collectionwindows
Free
Lightweight Windows console application designed to aid in the gathering of system information for incident response and security engagements. It features numerous modules and output formats.
Cuckoo Sandbox
sandbox
FreeCommercial
Open Source Highly configurable sandboxing tool.
Cuckoo-modified
sandboxmalware analysis
FreeDeprecated
Heavily modified Cuckoo fork developed by community.
⚙️
Cutter
reverse engineering framework
Free
Cutter is a free and open-source reverse engineering framework powered by radare2 . Its goal is making an advanced, customizable and FOSS reverse-engineering platform while keeping the user experience at mind. Cutter is created by reverse engineers for reverse engineers.
🎫
CyberCPR
sirp
CommercialFree
Community and commercial incident management tool with Need-to-Know built in to support GDPR compliance while handling sensitive incidents.
🔍
CyberTriage
forensicsall-in-oneartifact analysis
FreeCommercial
Cyber Triage remotely collects and analyzes endpoint data to help determine if it is compromised. It’s agentless approach and focus on ease of use and automation allows companies to respond without major infrastructure changes and without a team of forensics experts. Its results are used to decide if the system should be erased or investigated further.
🗃️
CyLR
artifact collection
Free
The CyLR tool collects forensic artifacts from hosts with NTFS file systems quickly, securely and minimizes impact to the host.
🎫
Cyphon
sirpsoar
Free
Cyphon eliminates the headaches of incident management by streamlining a multitude of related tasks through a single platform. It receives, processes and triages events to provide an all-encompassing solution for your analytic workflow — aggregating data, bundling and prioritizing alerts, and empowering analysts to investigate and document incidents.
DetectionLab
detection toolsandboxwindowsactive directory
Free
This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.
🗃️
DFIR ORC
artifact collectionartifact analysiswindows
Free
.DFIR ORC, where ORC stands for “Outil de Recherche de Compromission” in French, is a collection of specialized tools dedicated to reliably parse and collect critical artefacts such as the MFT, registry hives or event logs. It can also embed external tools and their configurations.
🗃️
DFIR-O365RC
artifact collectionlogo365
Free
The DFIR-O365RC PowerShell module is a set of functions that allow the DFIR analyst to collect logs relevant for Office 365 Business Email Compromise investigations.
🎫
DFIRTrack
reportingsirp
Free
DFIRTrack (Digital Forensics and Incident Response Tracking application) is an open source web application mainly based on Django using a PostgreSQL database back end.
☁️
Diffy
awscloudartifact analysisartifact collection
Free
Diffy is a digital forensics and incident response (DFIR) tool developed by Netflix's Security Intelligence and Response Team (SIRT). Diffy allows a forensic investigator to quickly scope a compromise across cloud instances during an incident, and triage those instances for followup actions. Diffy is currently focused on Linux instances running within Amazon Web Services (AWS), but owing to our plugin structure, could support multiple platforms and cloud providers.
🔍
Doorman
remoteforensicsosxlinux
Free
osquery fleet manager that allows remote management of osquery configurations retrieved by nodes. It takes advantage of osquery's TLS configuration, logger, and distributed read/write endpoints, to give administrators visibility across a fleet of devices with minimal overhead and intrusiveness.
🦹🏼
DumpsterFire
adversary emulation
Free
The DumpsterFire Toolset is a modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events. Easily create custom event chains for Blue Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Turn paper tabletop exercises into controlled "live fire" range events. Build event sequences ("narratives") to simulate realistic scenarios and generate corresponding network and filesystem artifacts.
🍎
Dylib Hijack Scanner (Objective-See)
osxartifact analysishijacking scanner
Free
Dylib Hijack Scanner or DHS, is a simple utility that will scan your computer for applications that are either susceptible to dylib hijacking or have been hijacked. The details behind this new OS X attack were presented at CanSecW, in a presentation titled, 'DLL Hijacking' on OS X? #@%& Yeah!
🔬
EZ Tools
artifact analysiswindows
Free
Incident Responders are on the front lines of intrusion investigations. Eric Zimmerman's Tools (EZ Tools) aim to support DFIR analysts in their quest to uncover the truth.
⚙️
Falcon Crowdstrike Orchestrator
soarorchestratorwindows
Free
Extendable Windows-based application that provides workflow automation, case management and security response functionality.
🎫
Fast Incident Response (FIR)
sirp
Free
FIR (Fast Incident Response) is an cybersecurity incident management platform designed with agility and speed in mind. It allows for easy creation, tracking, and reporting of cybersecurity incidents. FIR is for anyone needing to track cybersecurity incidents (CSIRTs, CERTs, SOCs, etc.). It was tailored to suit our needs and our team's habits, but we put a great deal of effort into making it as generic as possible before releasing it so that other teams around the world may also use it and customize it as they see fit.
🗃️
FastIR Artifacts
artifact collectionwindowslinuxosx
Free
FastIR Artifacts is a forensic artifacts collector that can be used on a live host. FastIR Artifacts is focused on artifact collection, there is no parsing or analysis of the collected artifacts.
🗃️
FastIR Collector Linux
linux artifact collection
Free
FastIR for Linux collects different artefacts on live Linux and records the results in csv files.
📑
Fenrir
ioc scannerlinuxosx
Free
Simple IOC scanner. It allows scanning any Linux/Unix/OSX system for IOCs in plain bash. Created by the creators of THOR and LOKI.
🗃️
Fibratus
kernelwindowsartifact collection
Free
Fibratus is a tool which is able to capture the most of the Windows kernel activity - process/thread creation and termination, context switches, file system I/O, registry, network activity, DLL loading/unloading and much more.
🧠
fileintel
file analysiscyber threat intelligence
Free
Pull intelligence per file hash.
⚙️
Firmware
file analysissaasfirmware
Beta
Firmware.RE is a free service that unpacks, scans and analyzes almost any firmware package and facilitates the quick detection of vulnerabilities, backdoors and all kinds of embedded malware. Slowly but steady, we are working on some of most interesting firmwares so that you can benefit from ultimate embedded security.
🦹🏼
Flare FakeNet NG
adversary emulation
Free
FakeNet-NG is a next generation dynamic network analysis tool for malware analysts and penetration testers. It is open source and designed for the latest versions of Windows (and Linux, for certain modes of operation). FakeNet-NG is based on the excellent Fakenet tool developed by Andrew Honig and Michael Sikorski : https://www.fireeye.com/blog/threat-research/2017/07/linux-support-for-fakenet-ng.html
🔍
Fleetdm
remoteforensicslinuxosx
FreeDeprecated
State of the art host monitoring platform tailored for security experts. Leveraging Facebook's battle-tested osquery project, Fleetdm delivers continous updates, features and fast answers to big questions.
Gatewatcher Intelligence
artifact analysisfile analysismalware analysissaas
FreeCommercial
Malware analysis service provided by Gatewatcher
💾
GetData Forensic Imager
disk image creation
Free
Windows based program that will acquire, convert, or verify a forensic image in one of the following common forensic file formats.
🔍
Google Rapid Response (GRR)
forensicsremotewindowslinuxosxframeworkall-in-one
Free
Incident response framework focused on remote live forensics. It consists of a python agent (client) that is installed on target systems, and a python server infrastructure that can manage and talk to the agent. Besides the included Python API client, PowerGRR provides an API client library in PowerShell working on Windows, Linux and macOS for GRR automation and scripting.
💾
GoSecure Responder PRO
malware analysislive memory acquisitionmemory analysis
Commercial
GoSecure Responder PRO leverages proprietary behavioral engine, Digital DNA, to obtain impact scoring, which helps users in malware analysis and other threat indicators to uncover root cause. The fundamental difference is Responder PRO delivers a consistently updated tool behavioral intelligence source, built on over 3000+ traits, to correlate the analysis performed on a single machine.
💾
Guymager
disk image creation
Free
Free forensic imager for media acquisition on Linux.
🦌
HELK
analytics
Free
The Hunting ELK or simply the HELK is one of the first open source hunt platforms with advanced analytics capabilities such as SQL declarative language, graphing, structured streaming, and even machine learning via Jupyter notebooks and Apache Spark over an ELK stack. This project was developed primarily for research, but due to its flexible design and core components, it can be deployed in larger environments with the right configurations and scalable infrastructure.
🕸️
Hindsight
internet history forensics
Free
Internet history forensics for Google Chrome/Chromium
🧠
hostintel
cyber threat intelligencehost analysis
Free
Pull intelligence per host.
Hybrid-Analysis
sandboxsaasmalware analysisartifact analysisurl analysis
Free
Free powerful online sandbox by CrowdStrike.
🔎
IBM X-Force
saasfile analysisurl analysisartifact search
Free
🔒
ID Ransomware from MalwareHunterTeam
ransomwaresaas
Free
Upload a ransom note and/or sample encrypted file to identify the ransomware that has encrypted your data.
💾
imagemounter
acquisitionmounting
Free
Command line utility and Python package to ease the (un)mounting of forensic disk images.
📁
Inquest Deep File Inspection (DFI)
file analysissaasdeobfuscation
Free
A core facet to the InQuest solution is our Deep File Inspection (DFI) engine. Capable of recursively decompressing, decoding, deobfuscating, decompiling, deciphering, and more. We aim to automate and scale the reverse engineering skill-set of a typical SOC analyst. While not in full parity with our production engine, this InQuest Labs tool can identify and extract embedded logic, semantic context (including that embedded within images through OCR), and metadata. Additionally, artifacts such as URLs, domains, IPs, e-mail addresses, file names, and XMP IDs are extracted and searchable. Drag and drop one or more files to queue them for analysis. The current public release is limited to Microsoft and Open Office documents, spreadsheets, and presentations up to 15MB in size. In the future, we will expose lite versions of our Adobe PDF, Oracle Java, and Adobe Flash DFI shims. Read more in our Introduction to Deep File Inspection, dig deeper in our Walkthrough of a Common Malware Carrier, read more about InQuest, about DFI or contact us directly for a formal capabilities briefing.
Intezer
saassandboxmalware analysis
FreeCommercial
Automate your Security Operations and Incident Response with Genetic Malware Analysis. With Intezer Analyze, quickly analyze files and devices to immediately understand the What, Who, & How of a potential cyber incident, by identifying even the smallest pieces of code reuse. Join our free community edition now.
🦹🏼
Invoke-Adversary
adversary emulation
Free
Invoke-Adversary is a PowerShell script that helps you to evaluate security products and monitoring solutions based on how well they detect advanced persistent threats. I was inspired to write this script after seeing APTSimulator excellent tool from Florian Roth.
🗃️
ir-rescue
artifact collection
Free
Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.
Joe Sandbox
sandboxsaas
FreeCommercial
🗃️
Kansa
artifact collectionartifact analysiswindows
Free
A modular incident response framework in Powershell. It's been tested in PSv2 / .NET 2 and later and works mostly without issue.
🦠
Kaspersky Data Feeds
cyber threat intelligencefeed
Free
🍎
KextViewr (Objective-See)
osxartifact analysis
Free
View all modules on that are loaded in the OS kernel. Modules that are loaded into the kernel are called kernel extension, or 'kexts.' They run at the OS's highest privilege level; ring-0. KextViewr displays all loaded kexts, along with their signing status, full path, VirusTotal detection ratios, and more!
🍎
KnockKnock (Objective-See)
osxartifact analysispersistence
Free
"Who's there?" See what's persistently installed on your Mac. Malware installs itself persistently (scripts, commands, binaries, etc.) to ensure it is automatically executed each time a computer is restarted. KnockKnock uncovers persistently installed software in order to generically reveal such malware.
🗃️
Kroll Artifact Parser and Extractor (KAPE)
artifact collectionwindows
Free
KAPE is an efficient and highly configurable triage program that will target essentially any device or storage location, find forensically useful artifacts, and parse them within a few minutes.
🔍
Limacharlie
all-in-onesaaswindowsosxlinuxandroidiosforensics
CommercialFree
Endpoint security platform composed of a collection of small projects all working together that gives you a cross-platform (Windows, OSX, Linux, Android and iOS) low-level environment for managing and pushing additional modules into memory to extend its functionality. The LimaCharlie commercial version offers a free tier (no credit card required) of two sensors that includes a years worth of telemetry storage and search. It should take you less than 10 minutes to get data flowing from an endpoint after you sign up (it is really that easy).
💾
LiME
live memory acquisitionlinuxandroid
Free
A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
💾
Linux Memory Grabber
live memory acquisitionlinux
Free
Script for dumping Linux memory and creating Volatility profiles.
🗃️
Live Response Collection
artifact collection
Free
Automated tool that collects volatile data from Windows, OSX, and *nix based operating systems.
📑
Logdissect
logparsing
Free
CLI utility and Python API for analyzing log files and other data.
⏰
LOKI
yaraioc scanner
Free
Free IR scanner for scanning endpoint with yara rules and other indicators(IOCs).
📑
LORG
logartifact analysishttpd
Free
A tool for advanced HTTPD logfile security analysis and forensics
🍎
LuLu (Objective-See)
osxfirewallnetwork monitoring
Free
In today's connected world, it is rare to find an application or piece of malware that doesn't talk to a remote server. Let's control this! LuLu is the free, open-source macOS firewall that aims to block unknown outgoing connections, unless explicitly approved by the user.
🗃️
mac_apt - macOS Artifact Parsing Tool
osx artificat collection
Free
mac_apt is a DFIR (Digital Forensics and Incident Response) tool to process Mac computer full disk images (or live machines) and extract data/metadata useful for forensic investigation. It is a python based framework, which has plugins to process individual artifacts (such as Safari internet history, Network interfaces, Recently accessed files & volumes, ..)
💾
Magnet ACQUIRE
disk image creationosxandroid
Free
ACQUIRE by Magnet Forensics allows various types of disk acquisitions to be performed on Windows, Linux, and OS X as well as mobile operating systems.
💾
Magnet Encrypted Disk Detector
acquisition
Free
MAGNET Encrypted Disk Detector (v3.0 released May 12th, 2020) is a command-line tool that can quickly and non-intrusively check for encrypted volumes on a computer system during incident response. The decision can then be made to investigate further and determine whether a live acquisition needs to be made in order to secure and preserve the evidence that would otherwise be lost if the plug was pulled .
💾
Magnet RAM Capture
live memory acquisitionwindows
Free
Free imaging tool designed to capture the physical memory of a suspect’s computer. Supports recent versions of Windows.
🔍
MalConfScan (Volatility)
live memory acquisitionmalware analysis
Free
MalConfScan is a Volatility plugin extracts configuration data of known malware. Volatility is an open-source memory forensics framework for incident response and malware analysis. This tool searches for malware in memory images and dumps configuration data. In addition, this tool has a function to list strings to which malicious code refers.
🦠
Malware Information Sharing Platform (MISP)
cyber threat intelligence
Free
Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing
⚙️
Manalzyer
malware analysissaasstatic analysis framework
Free
Manalyzer is a free service which performs static analysis on PE executables to detect undesirable behavior.
💾
Margarita Shotgun
live memory acquisition
Free
Command line utility (that works with or without Amazon EC2 instances) to parallelize remote memory acquisition.
⚙️
Mastiff
static analysis framework
FreeDeprecated
Static analysis framework that automates the process of extracting key characteristics from a number of different file formats.
📑
MEEKRAT
windowsartifact collectionioc scanner
Free
PowerShell-based triage and threathunting for Windows.
🔎
MetaDefender Cloud OPSWAT
saasfile analysisurl analysisartifact search
FreeCommercial
🦹🏼
Metta
adversary emulation
Free
Metta is an information security preparedness tool. This project uses Redis/Celery, python, and vagrant with virtualbox to do adversarial simulation. This allows you to test (mostly) your host based instrumentation but may also allow you to test any network based detection and controls depending on how you set up your vagrants. The project parses yaml files with actions and uses celery to queue these actions up and run them one at a time without interaction.
🦹🏼
Mordor
adversary emulation
Free
The Mordor project provides pre-recorded security events generated after simulating adversarial techniques in the form of JavaScript Object Notation (JSON) files for easy consumption and Packet Capture (PCAP) files as additional context when applicable. The pre-recorded data is categorized by platforms, adversary groups, tactics and techniques defined by the MITRE ATT&CK Framework. The pre-recorded data represents not only specific known malicious events but additional context/events that occur around it. This is done on purpose so that you can test creative correlations across diverse data sources, enhancing your detection strategy and potentially reducing the number of false positives in your own environment.
⚙️
MozDef
all-in-onesiem
Free
Automates the security incident handling process and facilitate the real-time activities of incident handlers.
⚙️
MSTIC Jupyter and Python Security Tools
acquisitionartifact collectionanalyticsartifact analysisazure sentinel
Free
Microsoft Threat Intelligence Python Security Tools. msticpy is a library for InfoSec investigation and hunting in Jupyter Notebooks. It includes functionality to: - query log data from multiple sources - enrich the data with Threat Intelligence, geolocations and Azure resource data - extract Indicators of Activity (IoA) from logs and unpack encoded data - perform sophisticated analysis such as anomalous session detection and time series decomposition - visualize data using interactive timelines, process trees and multi-dimensional Morph Charts
🧠
Munin
cyber threat intelligencefile analysis
Free
Online hash checker for Virustotal and other services.
🍎
Netiquette (Objective-See)
osxnetwork monitoring
Free
In today's connected world, it is rare to find an application or piece of malware that doesn't talk to a remote server. Netiquette, a network monitor, allows one to explore all network sockets and connections, either via an interactive UI, or from the commandline.
🦹🏼
Network Flight Simulator
adversary emulation
Free
flightsim is a lightweight utility used to generate malicious network traffic and help security teams to evaluate security controls and network visibility. The tool performs tests to simulate DNS tunneling, DGA traffic, requests to known active C2 destinations, and other suspicious traffic patterns.
⚙️
Network Security Toolkit (NST)
linux distributionnetwork monitoringartifact analysis
Free
Linux distribution that includes a vast collection of best-of-breed open source network security applications useful to the network security professional.
🔍
nightHawk Response
artifact analysisforensicsall-in-one
Free
Application built for asynchronus forensic data presentation using ElasticSearch as the backend. It's designed to ingest Redline collections.
🔎
Open Threat Exchange AlienVault
saasfile analysisurl analysisartifact search
Free
🦠
OpenCTI
cyber threat intelligence
Free
Store, organizer, visualize and share knowledge about cyber threats. Open source application, community-centered approach
🗃️
OS X Auditor
osx artificat collection
Free
OSX Auditor offshoot for live response.
🔬
OSForensics
all-in-oneforensics
Commercial
Tool to acquire live memory on 32bit and 64bit systems. A dump of an individual process’s memory space or physical memory dump can be done.
🔍
osquery
analyticssystem monitoringosxlinuxwindowsfreebsd
Free
osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Available for Linux, macOS, Windows, and FreeBSD.
📄
OSSEM
logstandardizationdocumentation
Free
The Open Source Security Events Metadata (OSSEM) is a community-led project that focuses primarily on the documentation and standardization of security event logs from diverse data sources and operating systems. Security events are documented in a dictionary format and can be used as a reference while mapping data sources to data analytics used to validate the detection of adversarial techniques.
🗃️
OSXCollector
osx artificat collection
Free
Plugin based forensics framework for quick mac triage that works on live machines, disk images or individual artifact files.
⚙️
PALADIN
all-in-onelinux distributionforensics
FreeCommercial
Modified Linux distribution to perform various forenics task in a forensically sound manner. It comes with many open source forensics tools included.
Pikker.ee Sandbox (Cuckoo)
sandboxmalware analysissaas
Free
A cuckoo sandbox provided by Pikker.ee
⏲️
Plaso
timeline analysis
Free
A Python-based backend engine for the tool log2timeline
🗃️
PMDump
process dumpwindowsartifact collection
Free
Tool that lets you dump the memory contents of a process to a file without stopping the process.
🧯
PowerSponse
containmentartifact searchprocess killing
Free
PowerSponse is a PowerShell module for targeted containment and remediation.
🗃️
ProcDump
process dumpwindowsartifact collection
Free
ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. ProcDump also includes hung window monitoring (using the same definition of a window hang that Windows and Task Manager use), unhandled exception monitoring and can generate dumps based on the values of system performance counters. It also can serve as a general process dump utility that you can embed in other scripts.
🗃️
ProcDump (Linux)
linuxlinux artifact collectionprocess dump
Free
ProcDump is a Linux reimagining of the classic ProcDump tool from the Sysinternals suite of tools for Windows. ProcDump provides a convenient way for Linux developers to create core dumps of their application based on performance triggers.
🍎
ProcessMonitor (Objective-See)
osxmalware analysissystem monitoring
Free
Leveraging Apple's new Endpoint Security Framework, this utility monitors process creations and terminations, providing detailed information about such events.
📑
PyaraScanner
yaraioc scanner
Free
Very simple multithreaded many-rules to many-files YARA scanning Python script for malware zoos and IR.
🔎
Quttera
saasurl analysis
Free
Free Online Website Malware Scanner check your website for malware and vulnerability exploits online
⚙️
Radare2
reverse engineering framework
Free
r2 is a rewrite from scratch of radare in order to provide a set of libraries and tools to work with binary files. Radare project started as a forensics tool, a scriptable command-line hexadecimal editor able to open disk files, but later added support for analyzing binaries, disassembling code, debugging programs, attaching to remote gdb servers... radare2 is portable.
💾
RaQet
acquisitionremote
Free
Unconventional remote acquisition and triaging tool that allows triage a disk of a remote computer (client) that is restarted with a purposely built forensic operating system.
📑
rastrea2r
yaraartifact analysiswindowslinuxosx
Free
Allows one to scan disks and memory for IOCs using YARA on Windows, Linux and OS X.
🦹🏼
Red Team Automation (RTA) by Elastic
adversary emulation
Free
RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK.
🦹🏼
RedHunt Linux Distribution (VM) v2
adversary emulation
Free
Virtual Machine for Adversary Emulation and Threat Hunting by RedHunt Labs RedHunt OS aims to be a one stop shop for all your threat emulation and threat hunting needs by integrating attacker's arsenal as well as defender's toolkit to actively identify the threats in your environment.
🔍
Redline (FireEye)
forensicsanalyticswindowslinuxosxartifact collection
Free
Redline 2.0 is now able to collect investigative artifacts available from OS X and Linux environments. Redline will also import and analyze triages and acquisitions from the FireEye Endpoint Security audit viewer.
📑
reg_hunter
registrywindowsforensics
Free
Blueteam operational triage registry hunting/forensic tool.
📑
RegRipper
windowsartifact collectionregistry
Free
Open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis.
🍎
ReiKey (Objective-See)
osxartifact analysiskeylogger
Free
Malware and other applications may install persistent keyboard "event taps" to intercept your keystrokes. ReiKey can scan, detect, and monitor for such taps!
💾
Rekall
acquisitionlive memory acquisition
Free
Open source tool (and library) for the extraction of digital artifacts from volatile memory (RAM) samples.
🦠
REMnux
malware analysislinux distribution
Free
REMnux® is a Linux toolkit for reverse-engineering and analyzing malicious software. REMnux provides a curated collection of free tools created by the community. Analysts can use it to investigate malware without having to find, install, and configure the tools.
🎫
Request Tracker for Incident Response (RTIR)
sirp
Free
Request Tracker for Incident Response (RTIR) builds on all the features of RT and provides pre-configured queues and workflows designed for incident response teams. It's the tool of choice for many CERT and CSIRT teams all over the globe.
🎫
Sandia Cyber Omni Tracker (SCOT)
Free
Incident Response collaboration and knowledge capture tool focused on flexibility and ease of use. Our goal is to add value to the incident response process without burdening the user.
⚙️
SANS Investigative Forensic Toolkit (SIFT) Workstation
all-in-oneforensicslinux distribution
Free
Demonstrates that advanced incident response capabilities and deep dive digital forensic techniques to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.
Security Onion
all-in-oneanalyticslinux distribution
Free
Special Linux distro aimed at network security monitoring featuring advanced analysis tools.
📑
Sigma
logyararulesetsiemalerting
Free
Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others. Sigma is for log files what Snort is for network traffic and YARA is for files.
🔬
SilkETW
windowsartifact analysisetw
Free
SilkETW & SilkService are flexible C# wrappers for ETW, they are meant to abstract away the complexities of ETW and give people a simple interface to perform research and introspection. While both projects have obvious defensive (and offensive) applications they should primarily be considered as research tools : https://www.fireeye.com/blog/threat-research/2019/03/silketw-because-free-telemetry-is-free.html
🔎
SiteCheck Sucuri
saasurl analysis
Free
Free website security check & malware scanner
⚙️
Skadi
all-in-onewindowslinuxosx
Free
Skadi is a free, open source collection of tools that enables the collection, processing and advanced analysis of forensic artifacts and images. It works on MacOS, Windows, and Linux machines. It scales to work effectively on laptops, desktops, servers, the cloud, and can be installed on top of hardened / gold disk images.
🦌
SOF ELK
analytics
Free
SOF-ELK® is a “big data analytics” platform focused on the typical needs of computer forensic investigators/analysts and information security operations personnel. The platform is a customized build of the open source Elastic stack, consisting of the Elasticsearch storage and search engine, Logstash ingest and enrichment system, Kibana dashboard frontend, and Elastic Beats log shipper (specifically filebeat). With a significant amount of customization and ongoing development, SOF-ELK® users can avoid the typically long and involved setup process the Elastic stack requires. Instead, they can simply download the pre-built and ready-to-use SOF-ELK® virtual appliance that consumes various source data types (numerous log types as well as NetFlow), parsing out the most critical data and visualizing it on several stock dashboards. Advanced users can build visualizations the suit their own investigative or operational requirements, optionally contributing those back to the primary code repository.
💿
Stalk
mysqlforensicsartifact collection
Free
Collect forensic data about MySQL when problems occur.
📦
Steganographer
full-packet-capture
Free
Stenographer is a full-packet-capture utility for buffering packets to disk for intrusion detection and incident response purposes. It provides a high-performance implementation of NIC-to-disk packet writing, handles deleting those files as disk fills up, and provides methods for reading back specific sets of packets quickly and easily.
⏰
StreamAlert
analyticsserverlessalertinglogawslambda
Free
StreamAlert (developed by AirBnB) is a serverless, real-time data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using data sources and alerting logic you define. Computer security teams use StreamAlert to scan terabytes of log data every day for incident detection and response.
⚙️
StringSifter
machine learningmalware analysis
Free
StringSifter is a machine learning tool that automatically ranks strings based on their relevance for malware analysis.
🌟
Sysmon DFIR
windowsartifact collectiondetection toolrulesetsystem monitoringsysmon
Free
A curated list of resources for learning about deploying, managing and hunting with Microsoft Sysmon. Contains presentations, deployment methods, configuration file examples, blogs and additional github repositories.
🍯
T-Pot
honeypotcyber threat intelligence
Free
T-Pot 20.06 runs on Debian (Stable), is based heavily on docker, docker-compose and includes dockerized versions of the following honeypots
🍎
TaskExplorer (Objective-See)
osxartifact analysis
Free
Explore all the tasks (processes) running on your Mac with TaskExplorer. Quickly see a task's signature status, loaded dylibs, open files, network connection, and much more!
🔍
The Sleuth Kit
artifact collectionall-in-onefile analysis
Free
The Sleuth Kit is a collection of command line tools and a C library that allows you to analyze disk images and recover files from them. It is used behind the scenes in Autopsy and many other open source and commercial forensics tools.
🐝
TheHive Project
sirpsoar
Free
TheHive is a scalable 4-in-1 open source and free Security Incident Response Platform designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly. It is the perfect companion for MISP.
🔎
ThreatCrowd is now powered by AlienVault
saasurl analysisfile analysisartifact search
Free
🦠
ThreatFox
saascyber threat intelligenceartifact analysismalware analysisioc scanner
Free
ThreatFox is a free platform from abuse.ch with the goal of sharing indicators of compromise (IOCs) associated with malware with the infosec community, AV vendors and threat intelligence providers.
📒
threatnote.io
reportingcyber threat intelligence
FreeCommercial
Cyber Threat Intelligence Notebook: Manage your Threat Intelligence lifecycle through threatnote.io with intelligence requirements, reporting and stakeholder management.
🖥️
ThreatPursuit VM (FireEye)
cyber threat intelligence
Free
A Threat Intelligence and Hunting Virtual Machine with 50+ tools for CTI and ThreatHunting
⏲️
Timesketch
timeline analysis
Free
Timesketch is an open source tool for collaborative forensic timeline analysis. Using sketches you and your collaborators can easily organize your timelines and analyze them all at the same time. Add meaning to your raw data with rich annotations, comments, tags and stars.
🐧
UAC (Unix-like Artifacts Collector)
artifact collectionlinuxosxosx artificat collectionsolarisaixbsd
Free
AC (Unix-like Artifacts Collector) is a Live Response collection tool for Incident Reponse that makes use of built-in tools to automate the collection of Unix-like systems artifacts. Supported systems: AIX, FreeBSD, Linux, macOS, NetBSD, Netscaler, OpenBSD and Solaris.
Valkyrie Comodo
saasmalware analysis
Free
Valkyrie is a file verdict system. Different from traditional signature based malware detection techniques Valkyrie conducts several analysis using run-time behavior and hundreds of features from a file and based on analysis results can warn users against malware undetected by classic Anti-Virus products.
🔍
Velocyraptor
forensicsremotewindowsframeworkall-in-one
Free
Velociraptor is a unique, advanced open-source endpoint monitoring, digital forensic and cyber response platform. It was originally developed by DFIR professionals who needed a powerful and efficient way to hunt and monitor activities across fleets of endpoints for specific artefacts, in a wide range of digital forensic and cyber incident response investigations such as:
🗂️
Viper
binary analysis and management framework
Free
Viper is a binary analysis and management framework. Its fundamental objective is to provide a solution to easily organize your collection of malware and exploit samples as well as your collection of scripts you created or found over the time to facilitate your daily research. It works well with Cuckoo and YARA.
🦠
VirusBay
malware exchangereporting
Free with an inviteCommercial
VirusBay is a web-based, collaboration platform that connects security operations center (SOC) professionals with relevant malware researchers. Created by high-end malware researchers, VirusBay is designed to help organizations effectively respond to and recover from an IT security incident when it is not possible for an external expert to visit their facility.
🔎
VirusTotal
saasfile analysisurl analysisartifact search
FreeCommercial
💾
Volatility
acquisitionlive memory acquisition
Free
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
🍎
What's Your Sign? (Objective-See)
osxartifact analysiscrypto signature
Free
Verifying a file's cryptographic signature can deduce its origin or trustability. Unfortunately on macs there's no simple way to view a file's signature via the UI. WhatsYourSign adds a menu item to Finder.app. Simply right-, or control-click on any file to display its cryptographic signing information!
🗂️
Wintriage (Securizame)
artifact collectionartifact analysiswindowsforensics
Free
Wintriage is a live response tool that extracts Windows artifacts. It must be executed with local or domain administrator privileges and recommended to be done from an external drive.
🔍
X-Way Forensics
all-in-onedisk image creationacquisitionmemory analysisfile analysistimeline analysis
Commercial
X-Ways Forensics is an advanced work environment for computer forensic examiners and our flagship product. Runs under Windows XP/2003/Vista/2008/7/8/8.1/2012/10/2016*, 32 Bit/64 Bit, standard/PE/FE. (Windows FE is described here, here and here.) Compared to its competitors, X-Ways Forensics is more efficient to use after a while, by far not as resource-hungry, often runs much faster, finds deleted files and search hits that the competitors will miss, offers many features that the others lack, as a German product is potentially more trustworthy, comes at a fraction of the cost, does not have any ridiculous hardware requirements, does not depend on setting up a complex database, etc.!
💿
xCyclopedia
baseliningexecutables
Free
The xCyclopedia project attempts to document all executable binaries (and eventually scripts) that reside on a typical operating system. Currently, this includes all observed EXE and DLL files, as well as COM Objects (new!). It provides a web page to view the data as well as a machine-readable format (JSON and CSV) that can be immediately usable in other systems such as SIEMs to enrich observed executions with contextual data.
⏰
Yara
cyber threat intelligenceyara
Free
YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a. rule, consists of a set of strings and a boolean expression which determine its logic. Let's see an example:
⏰
Yara-Rules
cyber threat intelligenceyararuleset
Free
This project covers the need of a group of IT Security Researchers to have a single repository where different Yara signatures are compiled, classified and kept as up to date as possible, and began as an open source community for collecting Yara rules. Our Yara ruleset is under the GNU-GPLv2 license and open to any user or organization, as long as you use it under this license.
📑
yet another registry parser (yarp)
windowsregistryartifact analysisparsing
Free
Project goals: the library and tools - Parse Windows registry files in a proper way (with forensics in mind). - Expose values of all fields of underlying registry structures. - Support for truncated registry files and registry fragments. - Support for recovering deleted keys and values. - Support for carving of registry hives. - Support for transaction log files.
Yomi
sandboxsaasmalware analysis
Free
Free MultiSandbox managed and hosted by Yoroi.
🔍
Zentral
artifact collectionartifact analysislinuxosxall-in-one
Free
Zentral is an Event Hub to gather, process, and monitor system events and link them to an inventory. Combines osquery's powerful endpoint inventory features with a flexible notification and action framework. This enables one to identify and react to changes on OS X and Linux clients.