awesome-forensics
A curated list of awesome forensic analysis tools and resources
4k stars
173 watching
619 forks
last commit: about 18 hours ago
Linked from 10 awesome lists
computer-forensicsdfirdigital-forensicsforensic-analysisfreeopen-source
Awesome Forensics / Collections | |||
AboutDFIR – The Definitive Compendium Project | Collection of forensic resources for learning and research. Offers lists of certifications, books, blogs, challenges and more | ||
ForensicArtifacts.com Artifact Repository | 1,046 | about 2 months ago | Machine-readable knowledge base of forensic artifacts |
Awesome Forensics / Tools | |||
Forensics tools on Wikipedia | |||
Eric Zimmerman's Tools | |||
Awesome Forensics / Tools / Distributions | |||
bitscout | 461 | 4 months ago | LiveCD/LiveUSB for remote forensic acquisition and analysis |
Remnux | Distro for reverse-engineering and analyzing malicious software | ||
SANS Investigative Forensics Toolkit (sift) | 485 | 8 months ago | Linux distribution for forensic analysis |
Tsurugi Linux | Linux distribution for forensic analysis | ||
WinFE | Windows Forensics enviroment | ||
Awesome Forensics / Tools / Frameworks | |||
Autopsy | SleuthKit GUI | ||
dexter | 124 | over 5 years ago | Dexter is a forensics acquisition framework designed to be extensible and secure |
dff | 271 | over 4 years ago | Forensic framework |
Dissect | 909 | 26 days ago | Dissect is a digital forensics & incident response framework and toolset that allows you to quickly access and analyse forensic artefacts from various disk and file formats, developed by Fox-IT (part of NCC Group) |
hashlookup-forensic-analyser | 125 | about 1 year ago | A tool to analyse files from a forensic acquisition to find known/unknown hashes from API or using a local Bloom filter |
IntelMQ | 974 | 26 days ago | IntelMQ collects and processes security feeds |
Kuiper | 760 | 3 months ago | Digital Investigation Platform |
Laika BOSS | 736 | over 1 year ago | Laika is an object scanner and intrusion detection system |
OpenRelik | Forensic platform to store file artifacts and run workflows | ||
PowerForensics | 1,384 | 11 months ago | PowerForensics is a framework for live disk forensic analysis |
TAPIR | 43 | over 2 years ago | TAPIR (Trustable Artifacts Parser for Incident Response) is a multi-user, client/server, incident response framework |
The Sleuth Kit | 2,598 | 4 days ago | Tools for low level forensic analysis |
turbinia | 746 | 8 days ago | Turbinia is an open-source framework for deploying, managing, and running forensic workloads on cloud platforms |
IPED - Indexador e Processador de Evidências Digitais | 951 | 4 days ago | Brazilian Federal Police Tool for Forensic Investigations |
Wombat Forensics | 47 | 3 months ago | Forensic GUI tool |
Awesome Forensics / Tools / Live Forensics | |||
grr | 4,762 | 16 days ago | GRR Rapid Response: remote live forensics for incident response |
Linux Expl0rer | 407 | 7 months ago | Easy-to-use live forensics toolbox for Linux endpoints written in Python & Flask |
mig | 1,207 | about 5 years ago | Distributed & real time digital forensics at the speed of the cloud |
osquery | 21,798 | 4 days ago | SQL powered operating system analytics |
POFR | 37 | 3 months ago | The Penguin OS Flight Recorder collects, stores and organizes for further analysis process execution, file access and network/socket endpoint data from the Linux Operating System |
UAC | 758 | about 1 month ago | UAC (Unix-like Artifacts Collector) is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts |
Awesome Forensics / Tools / IOC Scanner | |||
Fastfinder | 230 | over 2 years ago | Fast customisable cross-platform suspicious file finder. Supports md5/sha1/sha256 hashes, literal/wildcard strings, regular expressions and YARA rules |
Fenrir | 688 | over 2 years ago | Simple Bash IOC Scanner |
Loki | 3,364 | 7 months ago | Simple IOC and Incident Response Scanner |
Redline | Free endpoint security tool from FireEye | ||
THOR Lite | Free IOC and YARA Scanner | ||
recon | 30 | almost 2 years ago | Performance oriented file finder with support for SQL querying, index and analyze file metadata with support for YARA |
Awesome Forensics / Tools / Acquisition | |||
Acquire | 88 | about 1 month ago | Acquire is a tool to quickly gather forensic artifacts from disk images or a live system into a lightweight container |
artifactcollector | 265 | 12 months ago | A customizable agent to collect forensic artifacts on any Windows, macOS or Linux system |
ArtifactExtractor | 65 | over 3 years ago | Extract common Windows artifacts from source images and VSCs |
AVML | 858 | 11 days ago | A portable volatile memory acquisition tool for Linux |
Belkasoft RAM Capturer | Volatile Memory Acquisition Tool | ||
DFIR ORC | Forensics artefact collection tool for systems running Microsoft Windows | ||
FastIR Collector | 505 | over 3 years ago | Collect artifacts on windows |
FireEye Memoryze | A free memory forensic software | ||
FIT | 62 | 7 days ago | Forensic acquisition of web pages, emails, social media, etc |
ForensicMiner | 148 | 5 months ago | A PowerShell-based DFIR automation tool, for artifact and evidence collection on Windows machines |
LiME | 1,703 | 4 months ago | Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, formerly called DMD |
Magnet RAM Capture / DumpIt | A free imaging tool designed to capture the physical memory | ||
SPECTR3 | 37 | about 1 month ago | Acquire, triage and investigate remote evidence via portable iSCSI readonly access |
UFADE | 127 | 12 days ago | Extract files from iOS devices on Linux and MacOS. Mostly a wrapper for pymobiledevice3. Creates iTunes-style backups and advanced logical backups |
unix_collector | 31 | about 2 months ago | A live forensic collection script for UNIX-like systems as a single script |
Velociraptor | 2,906 | 13 days ago | Velociraptor is a tool for collecting host based state information using Velocidex Query Language (VQL) queries |
WinTriage | Wintriage is a live response tool that extracts Windows artifacts. It must be executed with local or domain administrator privileges and recommended to be done from an external drive | ||
Awesome Forensics / Tools / Imaging | |||
dc3dd | Improved version of dd | ||
dcfldd | Different improved version of dd (this version has some bugs!, another version is on github ) | ||
FTK Imager | Free imageing tool for windows | ||
Guymager | Open source version for disk imageing on linux systems | ||
4n6pi | 16 | about 2 months ago | Forensic disk imager, designed to run on a Raspberry Pi, powered by libewf |
Awesome Forensics / Tools / Carving | |||
bstrings | 120 | over 1 year ago | Improved strings utility |
bulk_extractor | 1,090 | 6 months ago | Extracts information such as email addresses, creditcard numbers and histrograms from disk images |
floss | 3,207 | 4 days ago | Static analysis tool to automatically deobfuscate strings from malware binaries |
photorec | File carving tool | ||
swap_digger | 512 | over 3 years ago | A bash script used to automate Linux swap analysis, automating swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, etc |
Awesome Forensics / Tools / Memory Forensics | |||
inVtero.net | 278 | about 1 year ago | High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support |
KeeFarce | 1,000 | almost 9 years ago | Extract KeePass passwords from memory |
MemProcFS | 3,014 | 12 days ago | An easy and convenient way of accessing physical memory as files a virtual file system |
Rekall | 1,918 | almost 4 years ago | Memory Forensic Framework |
volatility | 7,219 | over 1 year ago | The memory forensic framework |
VolUtility | 378 | about 1 month ago | Web App for Volatility framework |
Awesome Forensics / Tools / Network Forensics | |||
Kismet | 1,570 | 4 days ago | A passive wireless sniffer |
NetworkMiner | Network Forensic Analysis Tool | ||
Squey | Logs/PCAP visualization software designed to detect anomalies and weak signals in large amounts of data | ||
WireShark | A network protocol analyzer | ||
Awesome Forensics / Tools / Windows Artifacts | |||
Beagle | 1,269 | almost 2 years ago | Transform data sources and logs into graphs |
Blauhaunt | 160 | 6 months ago | A tool collection for filtering and visualizing logon events |
FRED | Cross-platform microsoft registry hive editor | ||
Hayabusa | 2,222 | 5 days ago | A a sigma-based threat hunting and fast forensics timeline generator for Windows event logs |
LastActivityView | LastActivityView by Nirsoftis a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer | ||
LogonTracer | 2,710 | 4 months ago | Investigate malicious Windows logon by visualizing and analyzing Windows event log |
PyShadow | 5 | about 2 months ago | A library for Windows to read shadow copies, delete shadow copies, create symbolic links to shadow copies, and create shadow copies |
python-evt | 48 | over 1 year ago | Pure Python parser for classic Windows Event Log files (.evt) |
RegRipper3.0 | 541 | about 2 months ago | RegRipper is an open source Perl tool for parsing the Registry and presenting it for analysis |
RegRippy | 184 | 12 months ago | A framework for reading and extracting useful forensics data from Windows registry hives |
MFT-Parsers | Comparison of MFT-Parsers | ||
MFTEcmd | MFT Parser by Eric Zimmerman | ||
MFTExtractor | 14 | 24 days ago | MFT-Parser |
MFTMactime | 11 | over 1 year ago | MFT and USN parser that allows direct extraction in filesystem timeline format (mactime), dump all resident files in the MFT in their original folder structure and run yara rules over them all |
NTFS journal parser | |||
NTFS USN Journal parser | 106 | about 2 years ago | |
RecuperaBit | 534 | 6 months ago | Reconstruct and recover NTFS data |
python-ntfs | 80 | almost 7 years ago | NTFS analysis |
Awesome Forensics / Tools / OS X Forensics | |||
APFS Fuse | 1,758 | about 2 months ago | A read-only FUSE driver for the new Apple File System |
mac_apt (macOS Artifact Parsing Tool) | 768 | 29 days ago | Extracts forensic artifacts from disk images or live machines |
MacLocationsScraper | 75 | almost 2 years ago | Dump the contents of the location database files on iOS and macOS |
macMRUParser | 100 | over 6 years ago | Python script to parse the Most Recently Used (MRU) plist files on macOS into a more human friendly format |
OSXAuditor | 3,126 | about 4 years ago | |
OSX Collect | 1,873 | over 5 years ago | |
Awesome Forensics / Tools / Mobile Forensics | |||
Andriller | 1,323 | over 2 years ago | A software utility with a collection of forensic tools for smartphones |
ALEAPP | 504 | 25 days ago | An Android Logs Events and Protobuf Parser |
ArtEx | Artifact Examiner for iOS Full File System extractions | ||
iLEAPP | 720 | 12 days ago | An iOS Logs, Events, And Plists Parser |
iOS Frequent Locations Dumper | 77 | almost 6 years ago | Dump the contents of the StateModel#.archive files located in /private/var/mobile/Library/Caches/com.apple.routined/ |
MEAT | 135 | over 4 years ago | Perform different kinds of acquisitions on iOS devices |
MobSF | 17,203 | 22 days ago | An automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis |
OpenBackupExtractor | 156 | almost 3 years ago | An app for extracting data from iPhone and iPad backups |
Awesome Forensics / Tools / Docker Forensics | |||
dof (Docker Forensics Toolkit) | 91 | 8 months ago | Extracts and interprets forensic artifacts from disk images of Docker Host systems |
Docker Explorer | 523 | about 1 year ago | Extracts and interprets forensic artifacts from disk images of Docker Host systems |
Awesome Forensics / Tools / Internet Artifacts | |||
ChromeCacheView | A small utility that reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache | ||
chrome-url-dumper | 33 | almost 7 years ago | Dump all local stored infromation collected by Chrome |
hindsight | 1,073 | 5 days ago | Internet history forensics for Google Chrome/Chromium |
IE10Analyzer | 12 | 3 months ago | This tool can parse normal records and recover deleted records in WebCacheV01.dat |
unfurl | 602 | about 1 month ago | Extract and visualize data from URLs |
WinSearchDBAnalyzer | 115 | 3 months ago | This tool can parse normal records and recover deleted records in Windows.edb |
Awesome Forensics / Tools / Timeline Analysis | |||
DFTimewolf | 290 | 24 days ago | Framework for orchestrating forensic collection, processing and data export using GRR and Rekall |
plaso | 1,714 | 6 days ago | Extract timestamps from various files and aggregate them |
Timeline Explorer | Timeline Analysis tool for CSV and Excel files. Built for SANS FOR508 students | ||
timeliner | 34 | 2 months ago | A rewrite of mactime, a bodyfile reader |
timesketch | 2,587 | 5 days ago | Collaborative forensic timeline analysis |
Awesome Forensics / Tools / Disk image handling | |||
Disk Arbitrator | 657 | 8 months ago | A Mac OS X forensic utility designed to help the user ensure correct forensic procedures are followed during imaging of a disk device |
imagemounter | 117 | over 1 year ago | Command line utility and Python package to ease the (un)mounting of forensic disk images |
libewf | 264 | about 2 months ago | Libewf is a library and some tools to access the Expert Witness Compression Format (EWF, E01) |
PancakeViewer | 38 | over 4 years ago | Disk image viewer based in dfvfs, similar to the FTK Imager viewer |
xmount | Convert between different disk image formats | ||
Awesome Forensics / Tools / Decryption | |||
hashcat | Fast password cracker with GPU support | ||
John the Ripper | Password cracker | ||
Awesome Forensics / Tools / Management | |||
Catalyst | 338 | 13 days ago | Catalyst is an open source security automation and ticket system |
dfirtrack | 480 | about 1 month ago | Digital Forensics and Incident Response Tracking application, track systems |
Incidents | 65 | over 1 year ago | Web application for organizing non-trivial security investigations. Built on the idea that incidents are trees of tickets, where some tickets are leads |
iris | 1,048 | 4 days ago | Collaborative Incident Response platform |
Awesome Forensics / Tools / Picture Analysis | |||
Ghiro | 479 | about 8 years ago | A fully automated tool designed to run forensics analysis over a massive amount of images |
sherloq | 2,637 | about 1 month ago | An open-source digital photographic image forensic toolset |
Awesome Forensics / Tools / Metadata Forensics | |||
ExifTool | by Phil Harvey | ||
FOCA | 2,930 | almost 2 years ago | FOCA is a tool used mainly to find metadata and hidden information in the documents |
Awesome Forensics / Tools / Steganography | |||
Sonicvisualizer | |||
Steghide | 573 | 8 months ago | is a steganography program that hides data in various kinds of image and audio files |
Wavsteg | 13 | almost 7 years ago | is a steganography program that hides data in various kinds of image and audio files |
Zsteg | 1,280 | 7 months ago | A steganographic coder for WAV files |
Awesome Forensics / Learn Forensics | |||
Forensic challenges | Mindmap of forensic challenges | ||
OpenLearn | Digital forensic course | ||
Training material | Online training material by European Union Agency for Network and Information Security for different topics (e.g. , ) | ||
Awesome Forensics / Learn Forensics / CTFs and Challenges | |||
BelkaCTF | CTFs by Belkasoft | ||
CyberDefenders | |||
DefCon CTFs | archive of DEF CON CTF challenges | ||
Forensics CTFs | 9,715 | 3 months ago | |
MagnetForensics CTF Challenge | |||
MalwareTech Challenges | |||
MemLabs | 1,639 | over 3 years ago | |
NW3C Chanllenges | |||
Precision Widgets of North Dakota Intrusion | |||
ReverseEngineering Challenges | |||
Awesome Forensics / Resources / Web | |||
ForensicsFocus | |||
Insecstitute Resources | |||
SANS Digital Forensics | |||
Awesome Forensics / Resources / Blogs | |||
Netresec | |||
SANS Forensics Blog | |||
SecurityAffairs | blog by Pierluigi Paganini | ||
This Week In 4n6 | Weekly updates for forensics | ||
Zena Forensics | |||
Awesome Forensics / Resources / Books | |||
Network Forensics: Tracking Hackers through Cyberspace | Learn to recognize hackers’ tracks and uncover network-based evidence | ||
The Art of Memory Forensics | Detecting Malware and Threats in Windows, Linux, and Mac Memory | ||
The Practice of Network Security Monitoring | Understanding Incident Detection and Response | ||
Awesome Forensics / Resources / File System Corpora | |||
Digital Forensic Challenge Images | Two DFIR challenges with images | ||
Digital Forensics Tool Testing Images | |||
The CFReDS Project | |||
Awesome Forensics / Resources / File System Corpora / The CFReDS Project | |||
Hacking Case (4.5 GB NTFS Image) | |||
Awesome Forensics / Resources / Other | |||
/r/computerforensics/ | Subreddit for computer forensics | ||
ForensicPosters | 433 | 5 months ago | Posters of file system structures |
SANS Posters | Free posters provided by SANS | ||
Awesome Forensics / Resources / Labs | |||
BlueTeam.Lab | 139 | over 1 year ago | Blue Team detection lab created with Terraform and Ansible in Azure |
Awesome Forensics / Related Awesome Lists | |||
Android Security | 8,099 | about 1 month ago | |
AppSec | 6,276 | 3 months ago | |
CTFs | 9,715 | 3 months ago | |
Hacking | 12,967 | 4 months ago | |
Honeypots | 8,520 | about 2 months ago | |
Incident-Response | 7,584 | 3 months ago | |
Infosec | 5,165 | 8 months ago | |
Malware Analysis | 11,701 | 4 months ago | |
Pentesting | 21,566 | about 22 hours ago | |
Security | 12,322 | 3 months ago | |
Social Engineering | 2,685 | over 1 year ago | |
YARA | 3,515 | about 2 months ago |