Security Toolbox Forensics & Analysis Resources 21 - itnett/FTD02H-N GitHub Wiki
🔐 Comprehensive List of Forensics and Security Tools
| Category | Tool/Resource Name | Description | Link |
|---|---|---|---|
| Forensics Resources | AboutDFIR – The Definitive Compendium Project | Collection of forensic resources for learning and research. | AboutDFIR |
| ForensicArtifacts.com Artifact Repository | Machine-readable knowledge base of forensic artifacts. | Forensic Artifacts | |
| Forensics tools on Wikipedia | Wikipedia's list of forensics tools. | Wikipedia Tools | |
| Eric Zimmerman's Tools | Comprehensive suite of Windows artifact analysis tools by Eric Zimmerman. | Eric Zimmerman's Tools | |
| Distributions | bitscout | LiveCD/USB for remote forensic acquisition and analysis. | bitscout |
| Remnux | Linux distro for reverse engineering and malware analysis. | Remnux | |
| SANS Investigative Forensics Toolkit (SIFT) | Linux distro for forensic analysis. | SIFT | |
| Tsurugi Linux | Linux distro for forensic analysis. | Tsurugi | |
| WinFE | Windows Forensics Environment. | WinFE | |
| Frameworks | Autopsy | GUI for SleuthKit, a low-level forensic analysis tool. | Autopsy |
| dexter | Extensible and secure forensics acquisition framework. | dexter | |
| dff | Forensic framework for analyzing data. | dff | |
| Dissect | Digital forensics and incident response framework developed by Fox-IT. | Dissect | |
| IntelMQ | Framework for collecting and processing security feeds. | IntelMQ | |
| Kuiper | Digital Investigation Platform to store and analyze forensic artifacts. | Kuiper | |
| Laika BOSS | Object scanner and intrusion detection system. | Laika BOSS | |
| Live Forensics | grr | Remote live forensics for incident response. | grr |
| Linux Expl0rer | Easy-to-use live forensics toolbox for Linux endpoints. | Linux Expl0rer | |
| osquery | SQL-powered operating system analytics. | osquery | |
| POFR | Linux tool to collect process execution, file access, and network/socket endpoint data. | POFR | |
| IOC Scanners | Fastfinder | Customizable cross-platform IOC scanner with YARA support. | Fastfinder |
| Fenrir | Simple Bash-based IOC scanner. | Fenrir | |
| Loki | IOC and incident response scanner. | Loki | |
| THOR Lite | Free IOC and YARA Scanner for detecting threats. | THOR Lite | |
| Acquisition Tools | Acquire | Tool for gathering forensic artifacts from disk images or live systems. | Acquire |
| artifactcollector | Customizable agent for collecting forensic artifacts on Windows, macOS, and Linux. | artifactcollector | |
| Magnet RAM Capture | Free RAM capture tool for forensic analysis. | Magnet RAM Capture | |
| Imaging Tools | dc3dd | Improved version of dd with enhanced features for disk imaging. |
dc3dd |
| Guymager | Open-source tool for disk imaging on Linux systems. | Guymager | |
| Memory Forensics | Rekall | Memory forensics framework for analyzing system memory dumps. | Rekall |
| Volatility | The leading framework for memory forensics and incident response. | Volatility | |
| Redline | Memory forensics tool by FireEye for analyzing memory and system artifacts. | Redline | |
| Network Forensics | Arkime (Moloch) | Open-source full-packet network traffic capture and analysis tool. | Arkime |
| NetWitness Investigator | Network forensics tool for capturing and analyzing network traffic. | NetWitness | |
| Windows Artifacts | RegRipper | Open-source tool for parsing and analyzing Windows registry. | RegRipper |
| LogonTracer | Tool for visualizing and analyzing Windows logon events. | LogonTracer | |
| Linux Forensics | LinEnum | Script for performing a security audit and extracting potential vulnerabilities from Linux systems. | LinEnum |
| LiME | Kernel module for memory acquisition from Linux systems. | LiME | |
| Mobile Forensics | UFED (Cellebrite) | Industry-leading tool for mobile device data extraction and analysis. | Cellebrite UFED |
| ALEAPP | Android Logs Events and Protobuf Parser for analyzing Android devices. | ALEAPP | |
| iLEAPP | iOS Logs, Events, And Plists Parser for analyzing iOS devices. | iLEAPP | |
| Cloud/Docker Forensics | docker-explorer | Tool for exploring and analyzing forensic artifacts from Docker systems. | docker-explorer |
| CloudTrail Forensics | AWS CloudTrail data collection and analysis tool for cloud forensics. | CloudTrail Forensics | |
| Internet Forensics | Hindsight | Internet history forensics tool for Google Chrome and Chromium. | Hindsight |
| Web Historian | Tool for analyzing browser history artifacts from multiple browsers. | Web Historian | |
| Timeline Analysis | plaso | Framework for extracting timestamps from files and aggregating them into forensic timelines. | plaso |
| Timesketch | Collaborative tool for forensic timeline analysis. | Timesketch |
🔐 Additional Forensics and Security Tools (Not Previously Covered)
| Category | Tool/Resource Name | Description | Link |
|---|---|---|---|
| Incident Response | TheHive | Open-source platform for incident response, allowing comprehensive case management and collaboration. | TheHive |
| Cortex | SOAR solution integrated with TheHive for automated incident response and orchestration. | Cortex | |
| MISP | Malware Information Sharing Platform for sharing threat intelligence and malware information. | MISP | |
| CIRTkit | Toolkit for handling incident response, forensic acquisition, and threat detection. | CIRTkit | |
| Disk Forensics | Disk Drill | Tool for recovering lost data and performing disk image analysis on Windows and macOS. | Disk Drill |
| X-Ways Forensics | Commercial forensic tool for disk analysis, recovery, and data extraction. | X-Ways Forensics | |
| Belkasoft Evidence Center | Complete solution for gathering and analyzing digital evidence from various sources, including hard drives. | Belkasoft EC | |
| Autopsy Bulk Extractor | Extracts data such as email addresses and credit card numbers from disk images for further analysis. | Autopsy Bulk Extractor | |
| Memory Forensics | MemTriager | Lightweight tool for quickly analyzing Windows memory for signs of malware or anomalies. | MemTriager |
| PANDA | A memory analysis framework that allows you to log and replay events from memory dumps. | PANDA | |
| Network Forensics | NetWitness Investigator | Network forensic tool for real-time traffic capture and analysis to detect malicious activity. | NetWitness Investigator |
| TShark | Command-line packet analysis tool, part of the Wireshark package for analyzing network traffic. | TShark | |
| Windows Artifacts | Belkasoft RAM Capturer | Free tool for capturing volatile memory from Windows systems for analysis of malware and hidden threats. | Belkasoft RAM Capturer |
| FastIR Collector | A tool for collecting critical artifacts from Windows systems for incident response and forensic analysis. | FastIR Collector | |
| WindowsSCOPE | Advanced tool for analyzing Windows memory dumps for detecting malware, rootkits, and other hidden threats. | WindowsSCOPE | |
| Linux Forensics | LIMA | Linux Memory Analysis tool for deep analysis of memory dumps from Linux systems. | LIMA |
| Mobile Forensics | Elcomsoft iOS Forensic Toolkit | Forensics tool to extract data from iOS devices, even from locked devices. | Elcomsoft iOS Toolkit |
| Cloud/Docker Forensics | docker-explorer | Tool for exploring and analyzing Docker host systems for forensic artifacts. | docker-explorer |
| CloudTrail Forensics | AWS CloudTrail data collection and analysis tool for cloud forensics. | CloudTrail Forensics | |
| Internet Forensics | Web Historian | Tool for analyzing browser history artifacts from multiple web browsers (Chrome, Firefox, IE, etc.). | Web Historian |
| Timeline Analysis | Timesketch | Collaborative forensic timeline analysis tool, allowing multiple analysts to work together on investigations. | Timesketch |
| Learning Resources | This Week In 4n6 | Weekly updates with the latest in digital forensics, tools, and techniques. | This Week In 4n6 |
| DFIR.training | Offers a wide array of training materials, resources, and courses for digital forensics and incident response. | DFIR.training | |
| ForensicsWiki | A wiki focused on digital forensics, containing information about tools, techniques, and documentation. | ForensicsWiki | |
| BlueTeam.Lab | Blue Team detection lab using Terraform and Ansible, designed for training in cloud environments. | BlueTeam.Lab | |
| DFIR ORC | Forensics artifact collection tool for systems running Microsoft Windows. | DFIR ORC |
🔐 Additional Forensics and Security Tools - Part 3
| Category | Tool/Resource Name | Description | Link |
|---|---|---|---|
| Forensics Resources | CyberDefenders | A platform offering free forensics challenges and labs for security professionals. | CyberDefenders |
| Precision Widgets of North Dakota Intrusion | A forensics challenge that tests investigators' skills in real-life scenarios. | Precision Widgets | |
| Incident Response | IRIS | Collaborative incident response platform that enables teamwork and incident documentation. | IRIS |
| Incidents | Web application for organizing non-trivial security investigations with a tree-based structure of tickets. | Incidents | |
| Timeline Analysis | DFTimewolf | Framework for orchestrating forensic collection, processing, and data export using GRR and Rekall. | DFTimewolf |
| Timeline Explorer | Timeline analysis tool for CSV and Excel files, built for SANS FOR508 students. | Timeline Explorer | |
| Disk Image Handling | Disk Arbitrator | Mac OS X forensic utility to ensure proper forensic procedures during disk imaging. | Disk Arbitrator |
| libewf | Library and tools to access Expert Witness Compression Format (EWF, E01) disk images. | libewf | |
| PancakeViewer | Disk image viewer based on dfvfs, similar to FTK Imager Viewer. | PancakeViewer | |
| Decryption | hashcat | Fast password recovery tool with GPU support, often used for cracking password hashes. | hashcat |
| John the Ripper | Password cracking tool supporting many hashing algorithms and used for decrypting credentials. | John the Ripper | |
| Steganography Tools | Steghide | Steganography program that hides data within image and audio files. | Steghide |
| Zsteg | Steganographic coder and decoder for PNG files, widely used for detecting hidden data. | Zsteg | |
| Metadata Forensics | ExifTool | Metadata analysis tool used to extract, modify, and analyze EXIF data from image and document files. | ExifTool |
| FOCA | Tool used to find metadata and hidden information in documents, such as author names and file paths. | FOCA | |
| Picture Analysis | Ghiro | Fully automated tool designed to perform forensic analysis over a large number of images. | Ghiro |
| sherloq | Open-source toolset for digital photographic image forensics. | sherloq | |
| Mobile Forensics | Andriller | Software utility with a collection of forensic tools for smartphones, including Android and iOS. | Andriller |
| OpenBackupExtractor | Application for extracting data from iPhone and iPad backups. | OpenBackupExtractor | |
| MEAT | Tool to perform various kinds of acquisitions on iOS devices. | MEAT | |
| Network Forensics | Kismet | Wireless network detection tool, sniffer, and intrusion detection system that supports many Wi-Fi devices. | Kismet |
| Squey | PCAP log visualization software designed to detect anomalies and weak signals in large data sets. | Squey | |
| OS X Forensics | mac_apt | macOS Artifact Parsing Tool to extract forensic artifacts from disk images or live systems. | mac_apt |
| OSXAuditor | A free Mac OS X computer forensics tool for analyzing malware and conducting security assessments. | OSXAuditor | |
| MacLocationsScraper | Tool to dump the contents of the location database on iOS and macOS devices. | MacLocationsScraper | |
| Reverse Engineering | Floss | Static analysis tool for automatically deobfuscating strings in malware binaries. | FLOSS |
| IDA Pro | Advanced software for reverse engineering, used for analyzing binaries and malware. | IDA Pro | |
| CTFs and Challenges | BelkaCTF | CTF challenges created by Belkasoft, including memory and digital forensics puzzles. | BelkaCTF |
| MemLabs | Memory forensics challenges focusing on incident response, malware analysis, and digital forensics skills. | MemLabs | |
| NW3C Challenges | Computer forensics challenges offered by the National White Collar Crime Center (NW3C). | NW3C Challenges | |
| Learning Resources | OpenLearn - Digital Forensics Course | Free course on digital forensics from The Open University. | OpenLearn Forensics |
| Hacking Case (4.5 GB NTFS Image) | Forensics challenge with an NTFS image, used for teaching students and professionals how to investigate disks. | Hacking Case | |
| Reverse Engineering | ReverseEngineering Challenges | A collection of reverse engineering challenges, designed to enhance skills in reverse engineering malware. | Reverse Engineering Challenges |
| Miscellaneous | ForensicPosters | Posters displaying file system structures and important forensic artifacts for quick reference. | ForensicPosters |
| SANS Posters | Free posters provided by SANS that contain forensics and cybersecurity cheat sheets. | SANS Posters | |
| Digital Forensics Labs | BlueTeam.Lab | Blue Team detection lab created with Terraform and Ansible, deployed in Azure for forensic training. | BlueTeam.Lab |