There’s a tool for that![A big list of Digital Forensic Tools]
Everything you’ll need for incident response.
Digital Forensics and Incident Response (FIR) teams are groups of people in an organisation responsible for managing the response to a security incident, including gathering evidence of the incident, remediating its effects, and implementing controls to prevent the incident from recurring in the future.
[ IR Tools Collection ]
APTSimulator- Windows Batch script that uses a set of tools and output files to make a system look as if it was compromised.
Atomic Red Team (ART) – Small and highly portable detection tests mapped to the MITRE ATT&CK Framework.
AutoTTP – Automated Tactics Techniques & Procedures. Re-running complex sequences manually for regression tests, product evaluations, generate data for researchers.
Blue Team Training Toolkit (BT3) – Software for defensive security training, which will bring your network analysis training sessions, incident response drills and red team engagements to a new level.
Caldera – Automated adversary emulation system that performs post-compromise adversarial behaviour within Windows Enterprise networks. It generates plans during operation using a planning system and a pre-configured adversary model based on the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK’) project.
DumpsterFire – Modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events. Easily create custom event chains for Blue Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations.
Metta – Information security preparedness tool to do adversarial simulation
Network Flight Simulator – Lightweight utility used to generate malicious network traffic and help security teams to evaluate security controls and network visibility
Red Team Automation (RTA) – RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious trade-craft, modelled after MITRE ATT&CK.
RedHunt-OS – Virtual machine for adversary emulation and threat hunting.
[ All-In-One Tools ]
Belkasoft Evidence Center – The toolkit will quickly extract digital evidence from multiple sources by analysing hard drives, drive images, memory dumps, iOS, Blackberry and Android backups, UFED, ITAG and chip-off dumps.
CimSweep – Suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows.
CIRTkit – CIRTKit is not just a collection of tools, but also a framework to aid in the ongoing unification of Incident Response and Forensics investigation processes.
Cyber Triage – Cyber Triage remotely collects and analyses endpoint data to help determine if it is compromised. It’s agent-less approach and focus on ease of use and automation allows companies to respond without major infrastructure changes and without a team of forensics experts. Its results are used to decide if the system should be erased or investigated further.
Doorman – osquery fleet manager that allows remote management of osquery configurations retrieved by nodes. It takes advantage of osquery’s TLS configuration, logger, and distributed read/write endpoints, to give administrators visibility across a fleet of devices with minimal overhead and intrusiveness.
Falcon Orchestrator – Extendable Windows-based application that provides workflow automation, case management and security response functionality.
Flare – A fully custom, Windows-based security distribution for malware analysis, incident response penetration testing.
Fleetdm – State of the art host monitoring platform tailored for security experts. Leveraging Facebook’s battle-tested osquery project, Fleetdm delivers continuous updates, features and fast answers to big questions.
GRR Rapid Response – Incident response framework focused on remote live forensics. It consists of a python agent (client) that is installed on target systems, and a python server infrastructure that can manage and talk to the agent. Besides the included Python API client, PowerGRR provides an API client library in PowerShell working on Windows, Linux and macOS for GRR automation and scripting.
Kuiper – Digital Forensics Investigation Platform
Limacharlie – Endpoint security platform composed of a collection of small projects all working together that gives you a cross-platform (Windows, OSX, Linux, Android and ¡OS) low-level environment for managing and pushing additional modules into memory to extend its functionality.
MozDef – Automates the security incident handling process and facilitate the real-time activities of incident handlers.
NightHawk – Application built for asynchronus forensic data presentation using ElasticSearch as the backend. It’s designed to ingest Redline collections.
Open Computer Forensics Architecture – Another popular distributed open-source computer forensics framework. This framework was built on Linux platform and uses postgreSQL database for storing data.
osquery – Easily ask questions about your Linux and macOS infrastructure using a SQL-like query language; the provided incident-response pack helps you detect and respond to breaches.
Redline – Provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile.
The Sleuth Kit & Autopsy – Unix and Windows based tool which helps in forensic analysis of computers. It comes with various tools which helps in digital forensics. These tools help in analyzing disk images, performing in-depth analysis of file systems, and various other things.
TheHive – Scalable 3-in-1 open source and free solution designed to make life easier for SOCs, CSIRTs, CERT and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.
Velociraptor – Endpoint visibility and collection tool
X-Ways Forensics – Forensics tool for Disk cloning and imaging. It can be used to find deleted files and disk analysis.
Zentral – Combines osquery’s powerful endpoint inventory features with a flexible notification and action framework. This enables one to identify and react to changes on OS X and Linux clients.
[ Books ]
Applied Incident Response – Steve Anson’s book on Incident Response.
Introduction to FIR – By Scott J. Roberts.
Incident Response & Computer Forensics, Third Edition – The definitive guide to incident response.
Intelligence-Driven Incident Response – By Scott J. Roberts, Rebekah Brown.
Operator Handbook: Red Team + OSINT + Blue Team Reference – Great reference for incident responders.
The Practice of Network Security Monitoring: Understanding Incident Detection and Response Richard Beitlich’s book on IR.
Communities augmentd – Community driven site providing a list of searches that can be implemented in and executed with a variety of common security tools.
Digital Forensics Discord Server – Community of 8,000+ working professionals from Law Enforcement, Private Sector, and Forensic Vendors. Additionally, plenty of students and hobbyists! Guide here.
SANS FIR mailing list – Mailing list by SANS for DFIR.
Slack DFIR channel – Slack FIR Community channel Signup here.
[ Disk Image Creation Tools ]
AccessData FK Imager – Forensics tool whose main purpose is to preview recoverable data from a disk of any kind, FK Imager can also acquire live memory and paging file on 32bit and 64bit systems.
Bitscout – Bitscout by Vitaly Kamluk helps you build your fully-trusted customisation LiveD/LiveUSB image to be used for remote digital forensics (or perhaps any other task of your choice). It is meant to be transparent and monitor-able by the owner of the system, forensically sound, customisation and compact.
GetData Forensic Imager – Windows based program that will acquire, convert, or verify a forensic image in one of the following common forensic file formats.
Guymager – Free forensic imager for media acquisition on Linux.
Magnet ACQUIRE – ACQUIRE by Magnet Forensics allows various types of disk acquisitions to be performed on Windows, Linux, and OS X as well as mobile operating systems.
[ Evidence Collection ]
artifactcollector – The artifactcollector project provides a software that collects forensic artefacts on systems.
bulk extractor – Computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. Because of ignoring the file system structure, the program distinguishes itself in terms of speed and thoroughness.
Cold Disk Quick Response – Streamlined list of parsers to quickly analyse a forensic image file (dd, EQ1, •vmdk, etc) and output nine reports.
CyLR – The CyLR tool collects forensic artefacts from hosts with NTFS file systems quickly, securely and minimises impact to the host.
Forensic Artefacts – Digital Forensics Artefact Repository
ir-rescue – Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.
Live Response Collection – Automated tool that collects volatile data from Windows, OSX, and *nix based operating systems.
Margarita Shotgun – Command line utility (that works with or without Amazon EC2 instances) to parallelised remote memory acquisition,
UAC – UAC (Unix-like Artefacts Collector) is a Live Response collection tool for Incident Response that makes use of built-in tools to automate the collection of Unix-like systems artefacts. Supported systems; AIX, FreeBSD, Linux, macOS, NetBSD, Netscaler, OpenBSD and Solaris.
[ Incident Management ]
CyberCPR – Community and commercial incident management tool with Need-to-Know built in to support GDP compliance while handling sensitive incidents.
Cyphon – Cyphon eliminates the headaches of incident management by streamlining a multitude of related tasks through a single platform. It receives, processes and triages events to provide an all-encompassing solution for your analytic workflow -~ aggregating data, bundling and prioritizing alerts, and empowering analysts to investigate and document incidents.
CORTEX XSOAR – Paloalto security orchestration, automation and response platform with full Incident lifecycle management and many integrations to enhance automations.
DFTimewolf – A framework for orchestrating forensic collection, processing and data export.
DFIRTrack – Incident Response tracking application handling one or more incidents via cases and tasks with a lot of affected systems and artifacts.
Fast Incident Response (FIR) – Cybersecurity incident management platform designed with agility and speed in mind. It allows for easy creation, tracking, and reporting of cybersecurity incidents and is useful for CSIRTs, CERTs and SOCs alike.
RTIR – Request Tracker for Incident Response (RTIR) is the premier open source incident handling system targeted for computer security teams. We worked with over a dozen CERT and CSIRT teams around the world to help you handle the ever-increasing volume of incident reports. RTIR builds on all the features of Request Tracker.
Sandia Cyber Omni Tracker (SCOT) – Incident Response collaboration and knowledge capture tool focused on flexibility and ease of use. Our goal is to add value to the incident response process without burdening the user.
Shuffle – A general purpose security automation platform focused on accessibility.
threat_note – Lightweight investigation notebook that allows security researchers the ability to register and retrieve indicators related to their research.
[ Linux Distributions ]
The Appliance for Digital Investigation and Analysis (ADIA) – VMware-based appliance used for digital investigation and acquisition and is built entirely from public domain software. Among the tools contained in ADIA are Autopsy, the Sleuth Kit, the Digital Forensics Framework, log2timeline, Xplico, and Wireshark. Most of the system maintenance uses Webmin. It is designed for small-to-medium sized digital investigations and acquisitions. The appliance runs under Linux, Windows, and Mac OS. Both i386 (32-bit) and x86_64 (64-bit) versions are available.
Computer Aided Investigative Environment (CAINE)– Contains numerous tools that help investigators during their analysis, including forensic evidence collection.
CCF-VM – CyLR CDQR Forensics Virtual Machine (CCF-VM): An all-in-one solution to parsing collected data, making it easily searchable with built-in common searches, enable searching of single and multiple hosts simultaneously.
Digital Evidence & Forensics Toolkit (DEFT) – Linux distribution made for computer forensic evidence collection. It comes bundled with the Digital Advanced Response Toolkit (DART) for Windows. A light version of DEFT, called DEFT Zero, is also available, which is focused primarily on forensically sound evidence collection.
NST – Network Security Toolkit – Linux distribution that includes a vast collection of best-of-breed open source network security applications useful to the network security professional.
PALADIN – Modified Linux distribution to perform various forensics task in a forensically sound manner. It comes with many open source forensics tools included.
Security Onion – Special Linux distro aimed at network security monitoring featuring advanced analysis tools.
SANS Investigative Forensic Toolkit (SIFT) Workstation Demonstrates that advanced incident response capabilities and deep dive digital forensic techniques to intrusions can be accomplished using cutting edge open- source tools that are freely available and frequently updated.
[ Linux Evidence Collection ]
FastIR Collector Linux – FastIR for Linux collects different artefacts on live Linux and records the results in CV files.
[ Memory Analysis Tools ]
AVML – A portable volatile memory acquisition tool for Linux.
Evolve – Web interface for the Volatility Memory Forensics Framework.
inVtero.net – Advanced memory analysis for Windows ×64 with nested hypervisor support.
LiME – Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux- based devices, formerly called DMD.
MalConfScan – MalConfScan is a Volatility plugin extracts configuration data of known malware. Volatility is an open-source memory forensics framework for incident response and malware analysis. This tool searches for malware in memory images and dumps configuration data. In addition, this tool has a function to list strings to which malicious code refers.
Memoryze – Free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems, can include the paging file in its analysis.
Memoryze for Mac – Memoryze for Mac is Memoryze but then for Macs. A lower number of features, however.
Rekall – Open source tool (and library) for the extraction of digital artifacts from volatile memory (RAM) samples.
Responder PRO – Responder PRO is the industry standard physical memory and automated malware analysis solution.
Volatility – Advanced memory forensics framework.
Volatility 3 – The volatile memory extraction framework (successor of Volatility)
VolatilityBot – Automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation.
VolDiff – Malware Memory Footprint Analysis based on Volatility.
WindowsSCOPE – Memory forensics and reverse engineering tool used for analysing volatile memory offering the capability of analysing the Windows kernel, drivers, DLLs, and virtual and physical memory.
[ Memory Imaging Tools ]
Belkasoft Live RAM Capturer – Tiny free forensic tool to reliably extract the entire content of the computer’s volatile memory – even if protected by an active anti-debugging or anti-dumping system.
Linux Memory Grabber – Script for dumping Linux memory and creating Volatility profiles.
Magnet RAM Capture – Free imaging tool designed to capture the physical memory of a suspect’s computer. Supports recent versions of Windows.
OSForensics – Tool to acquire live memory on 32-bit and 64-bit systems. A dump of an individual process’s memory space or physical memory dump can be done.
[ OSX Evidence Collection ]
Knockknock – Displays persistent items(scripts, commands, binaries, etc.) that are set to execute automatically on OSX.
macOS Artifact Parsing Tool (mac_apt) – Plugin based forensics framework for quick mac triage that works on live machines, disk images or individual artifact files.
OSX Auditor – Free Mac OSX computer forensics tool.
OSX Collector – OSX Auditor offshoot for live response.
[ Process Dump Tools ]
Microsoft ProcDump – Dumps any running Win32 processes memory image on the fly.
PMDump – Tool that lets you dump the memory contents of a process to a file without stopping the process.
[ Sand-boxing/Reversing Tools ]
AMAaaS – Android Malware Analysis as a Service, executed in a native Android environment.
Any Run – Interactive online malware analysis service for dynamic and static research of most types of threats using any environment.
a CAPEv2 – Malware Configuration And Payload Extraction.
Na Cuckoo – Open Source Highly configurable sand-boxing too.
Cuckoo-modified – Heavily modified Cuckoo fork developed by community.
Cuckoo-modified-api – Python library to control a cuckoo-modified sandbox.
Cutter – Reverse engineering platform powered by Radare2.
Ghidra – Software Reverse Engineering Framework.
Hybrid-Analysis – Free powerful online sandbox by CrowdStrike.
Intezer – Intezer Analyse dives into Windows binaries to detect micro-code similarities to known threats, in order to provide accurate yet easy-to-understand results.
Joe Sandbox (Community) – Joe Sandbox detects and analyses potential malicious files and URLs on Windows, Android, Mac OS, Linux, and iOS for suspicious activities; providing comprehensive and detailed analysis reports.
Mastiff – Static analysis framework that automates the process of extracting key characteristics from a number of different file formats.
Metadefender Cloud – Free threat intelligence platform providing multi-scanning, data sanitation and vulnerability assessment of files.
Radare2 – Reverse engineering framework and command-line toolset.
Reverse.IT – Alternative domain for the Hybrid-Analysis tool provided by CrowdStrike.
Rizin – UNIX-like reverse engineering framework and command-line toolset
StringSifter – A machine learning tool that ranks strings based on their relevance for malware analysis.
Valkyrie Comodo – Valkyrie uses run-time behaviour and hundreds of features from a file to perform analysis.
Viper – Python based binary analysis and management framework, that works well with Cuckoo and YARA.
Virustotal – Free online service that analyses files and URLs enabling the identification of viruses, worms, Trojans and other kinds of malicious content detected by antivirus engines and website scanners.
Visualize_Logs – Open source visualisation library and command line tools for logs (Cuckoo, Procmon, more to come).
Yomi – Free MultiSandbox managed and hosted by Yoroi.
[ Scanner Tools ]
Fenrir – Simple IOC scanner, It allows scanning any Linux/Unix/OSX system for IOCs in plain bash. Created by hitne-Iraronshallram/awocomo_incidant-rasnonsa/the creators of THOR and LOKI.
LOKI – Free IR scanner for scanning endpoint with yara rules and other indicators(lOCs).
Spyre – Simple YARA-based IOC scanner written in Go Timeline Tools
Aurora Incident Response – Platform developed to build easily a detailed timeline of an incident.
Highlighter – Free Tool available from Fire/Mandiant that will depict log/text file that can highlight areas on the graphic, that corresponded to a key word or phrase. Good for time lining an infection and what was done post compromise.
Morgue – PHP Web app by Etsy for managing postmortems.
Plaso – a Python-based back-end engine for the tool log2timeline.
Timesketch – Open source tool for collaborative forensic timeline analysis.
[ Videos ]
The Future of Incident Response – Presented by Bruce Schneier at WASP AppSecUSA 2015. Windows Evidence Collection
Choir – Framework/scripting tool to standardise and simplify the process of scripting live acquisition utilities for Windows.
Crowd Response – Lightweight Windows console application designed to aid in the gathering of system information for incident response and security engagements. It features numerous modules and output formats.
FIR ORC – DFIR ORC is a collection of specialised tools dedicated to reliably parse and collect critical artefacts such as the MFT, registry hives or event logs. DFIR ORC collects data, but does not analyse it: it is not meant to triage machines. It provides a forensically relevant snapshot of machines running Microsoft Windows. The code can be found on GitHub,
Fast|R Collector – Tool that collects different artifacts on live Windows systems and records the results in cv files. With the analyses of these artifacts, an early compromise can be detected.
Fibratus – Tool for exploration and tracing of the Windows kernel.
Hoarder – Collecting the most valuable artefacts for forensics or incident response investigations.
IREC – All-in-one I Evidence Collector which captures RAM Image, $MFT, EventLogs, WMI Scripts, Registry Hives, System Restore Points and much more. It is FREE, lightning fast and easy to use.
Invoke-LiveResponse – Invoke-LiveResponse is a live response tool for targeted collection.
IOC Finder – Free tool from Mandiant for collecting host system data and reporting the presence of Indicators of Compromise (IOCs). Support for Windows only. No longer maintained. Only fully supported up to Windows 7 / Windows Server 2008 R2.
IRTriage – Incident Response Triage – Windows Evidence Collection for Forensic Analysis.
KAPE – Kroll Artifact Parser and Extractor (KAPE) by Eric Zimmerman. A triage tool that finds the most prevalent digital artifacts and then parses them quickly. Great and thorough when time is of the essence.
LOKI – Free IR scanner for scanning endpoint with yara rules and other indicators(IOCs).
MEERKAT – PowerShell-based triage and threat hunting for Windows
Panorama – Fast incident overview on live Windows systems.
PowerForensics – Live disk forensics platform, using PowerShell.
PRecon – PSRecon gathers data from a remote Windows host using PowerShell (V2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.
RegRipper – Open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis.
[ Other Lists ]
Awesome Forensics – A curated list of awesome forensic analysis tools and resources.
Didier Stevens Suite – Tool collection
Eric Zimmerman Tools – An updated list of forensic tools created by Eric Zimmerman, an instructor for SANS institute.
List of various Security APIs – Collective list of public JSON APIs for use in security.
I am slowly adding links to tools.tank.