awesome-forensics

Forensic toolkit

A curated collection of tools and resources for forensic analysis and digital forensics

⭐️ A curated list of awesome forensic analysis tools and resources

GitHub

4k stars
174 watching
624 forks
last commit: 11 days ago
Linked from 10 awesome lists

computer-forensicsdfirdigital-forensicsforensic-analysisfreeopen-source

Awesome Forensics / Collections

AboutDFIR – The Definitive Compendium Project Collection of forensic resources for learning and research. Offers lists of certifications, books, blogs, challenges and more
ForensicArtifacts.com Artifact Repository 1,062 3 months ago Machine-readable knowledge base of forensic artifacts

Awesome Forensics / Tools

Forensics tools on Wikipedia
Eric Zimmerman's Tools

Awesome Forensics / Tools / Distributions

bitscout 462 5 months ago LiveCD/LiveUSB for remote forensic acquisition and analysis
Remnux Distro for reverse-engineering and analyzing malicious software
SANS Investigative Forensics Toolkit (sift) 491 9 months ago Linux distribution for forensic analysis
Tsurugi Linux Linux distribution for forensic analysis
WinFE Windows Forensics enviroment

Awesome Forensics / Tools / Frameworks

Autopsy SleuthKit GUI
dexter 125 over 5 years ago Dexter is a forensics acquisition framework designed to be extensible and secure
dff 274 almost 5 years ago Forensic framework
Dissect 924 8 days ago Dissect is a digital forensics & incident response framework and toolset that allows you to quickly access and analyse forensic artefacts from various disk and file formats, developed by Fox-IT (part of NCC Group)
hashlookup-forensic-analyser 125 about 1 year ago A tool to analyse files from a forensic acquisition to find known/unknown hashes from API or using a local Bloom filter
IntelMQ 975 17 days ago IntelMQ collects and processes security feeds
Kuiper 769 about 1 month ago Digital Investigation Platform
Laika BOSS 739 almost 2 years ago Laika is an object scanner and intrusion detection system
OpenRelik Forensic platform to store file artifacts and run workflows
PowerForensics 1,385 about 1 year ago PowerForensics is a framework for live disk forensic analysis
TAPIR 44 over 2 years ago TAPIR (Trustable Artifacts Parser for Incident Response) is a multi-user, client/server, incident response framework
The Sleuth Kit 2,630 6 days ago Tools for low level forensic analysis
turbinia 750 5 days ago Turbinia is an open-source framework for deploying, managing, and running forensic workloads on cloud platforms
IPED - Indexador e Processador de Evidências Digitais 971 10 days ago Brazilian Federal Police Tool for Forensic Investigations
Wombat Forensics 47 4 months ago Forensic GUI tool

Awesome Forensics / Tools / Live Forensics

grr 4,783 about 2 months ago GRR Rapid Response: remote live forensics for incident response
Linux Expl0rer 406 9 months ago Easy-to-use live forensics toolbox for Linux endpoints written in Python & Flask
mig 1,206 about 5 years ago Distributed & real time digital forensics at the speed of the cloud
osquery 21,887 11 days ago SQL powered operating system analytics
POFR 37 4 months ago The Penguin OS Flight Recorder collects, stores and organizes for further analysis process execution, file access and network/socket endpoint data from the Linux Operating System
UAC 797 21 days ago UAC (Unix-like Artifacts Collector) is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts

Awesome Forensics / Tools / IOC Scanner

Fastfinder 232 over 2 years ago Fast customisable cross-platform suspicious file finder. Supports md5/sha1/sha256 hashes, literal/wildcard strings, regular expressions and YARA rules
Fenrir 697 almost 3 years ago Simple Bash IOC Scanner
Loki 3,402 22 days ago Simple IOC and Incident Response Scanner
Redline Free endpoint security tool from FireEye
THOR Lite Free IOC and YARA Scanner
recon 31 almost 2 years ago Performance oriented file finder with support for SQL querying, index and analyze file metadata with support for YARA

Awesome Forensics / Tools / Acquisition

Acquire 91 16 days ago Acquire is a tool to quickly gather forensic artifacts from disk images or a live system into a lightweight container
artifactcollector 270 about 1 month ago A customizable agent to collect forensic artifacts on any Windows, macOS or Linux system
ArtifactExtractor 65 over 3 years ago Extract common Windows artifacts from source images and VSCs
AVML 875 8 days ago A portable volatile memory acquisition tool for Linux
Belkasoft RAM Capturer Volatile Memory Acquisition Tool
DFIR ORC Forensics artefact collection tool for systems running Microsoft Windows
FastIR Collector 506 almost 4 years ago Collect artifacts on windows
FireEye Memoryze A free memory forensic software
FIT 66 21 days ago Forensic acquisition of web pages, emails, social media, etc
ForensicMiner 148 6 months ago A PowerShell-based DFIR automation tool, for artifact and evidence collection on Windows machines
LiME 1,725 about 1 month ago Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, formerly called DMD
Magnet RAM Capture / DumpIt A free imaging tool designed to capture the physical memory
SPECTR3 37 27 days ago Acquire, triage and investigate remote evidence via portable iSCSI readonly access
UFADE 156 6 days ago Extract files from iOS devices on Linux and MacOS. Mostly a wrapper for pymobiledevice3. Creates iTunes-style backups and advanced logical backups
unix_collector 32 3 months ago A live forensic collection script for UNIX-like systems as a single script
Velociraptor 2,975 7 days ago Velociraptor is a tool for collecting host based state information using Velocidex Query Language (VQL) queries
WinTriage Wintriage is a live response tool that extracts Windows artifacts. It must be executed with local or domain administrator privileges and recommended to be done from an external drive

Awesome Forensics / Tools / Imaging

dc3dd Improved version of dd
dcfldd Different improved version of dd (this version has some bugs!, another version is on github )
FTK Imager Free imageing tool for windows
Guymager Open source version for disk imageing on linux systems
4n6pi 17 3 months ago Forensic disk imager, designed to run on a Raspberry Pi, powered by libewf

Awesome Forensics / Tools / Carving

bstrings 120 over 1 year ago Improved strings utility
bulk_extractor 1,115 7 months ago Extracts information such as email addresses, creditcard numbers and histrograms from disk images
floss 3,255 8 days ago Static analysis tool to automatically deobfuscate strings from malware binaries
photorec File carving tool
swap_digger 513 over 3 years ago A bash script used to automate Linux swap analysis, automating swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, etc

Awesome Forensics / Tools / Memory Forensics

inVtero.net 279 about 1 year ago High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support
KeeFarce 1,001 about 9 years ago Extract KeePass passwords from memory
MemProcFS 3,115 6 days ago An easy and convenient way of accessing physical memory as files a virtual file system
Rekall 1,924 about 4 years ago Memory Forensic Framework
volatility 7,343 over 1 year ago The memory forensic framework
VolUtility 380 3 months ago Web App for Volatility framework

Awesome Forensics / Tools / Network Forensics

Kismet 1,611 9 days ago A passive wireless sniffer
NetworkMiner Network Forensic Analysis Tool
Squey Logs/PCAP visualization software designed to detect anomalies and weak signals in large amounts of data
WireShark A network protocol analyzer

Awesome Forensics / Tools / Windows Artifacts

Beagle 1,272 almost 2 years ago Transform data sources and logs into graphs
Blauhaunt 161 8 days ago A tool collection for filtering and visualizing logon events
FRED Cross-platform microsoft registry hive editor
Hayabusa 2,305 4 days ago A a sigma-based threat hunting and fast forensics timeline generator for Windows event logs
LastActivityView LastActivityView by Nirsoftis a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer
LogonTracer 2,735 5 months ago Investigate malicious Windows logon by visualizing and analyzing Windows event log
PyShadow 5 3 months ago A library for Windows to read shadow copies, delete shadow copies, create symbolic links to shadow copies, and create shadow copies
python-evt 48 over 1 year ago Pure Python parser for classic Windows Event Log files (.evt)
RegRipper3.0 557 19 days ago RegRipper is an open source Perl tool for parsing the Registry and presenting it for analysis
RegRippy 187 17 days ago A framework for reading and extracting useful forensics data from Windows registry hives
MFT-Parsers Comparison of MFT-Parsers
MFTEcmd MFT Parser by Eric Zimmerman
MFTExtractor 14 15 days ago MFT-Parser
MFTMactime 12 over 1 year ago MFT and USN parser that allows direct extraction in filesystem timeline format (mactime), dump all resident files in the MFT in their original folder structure and run yara rules over them all
NTFS journal parser
NTFS USN Journal parser 107 over 2 years ago
RecuperaBit 542 8 months ago Reconstruct and recover NTFS data
python-ntfs 80 almost 7 years ago NTFS analysis

Awesome Forensics / Tools / OS X Forensics

APFS Fuse 1,788 3 months ago A read-only FUSE driver for the new Apple File System
mac_apt (macOS Artifact Parsing Tool) 781 about 1 month ago Extracts forensic artifacts from disk images or live machines
MacLocationsScraper 77 about 2 years ago Dump the contents of the location database files on iOS and macOS
macMRUParser 101 over 6 years ago Python script to parse the Most Recently Used (MRU) plist files on macOS into a more human friendly format
OSXAuditor 3,128 over 4 years ago
OSX Collect 1,875 over 5 years ago

Awesome Forensics / Tools / Mobile Forensics

Andriller 1,343 over 2 years ago A software utility with a collection of forensic tools for smartphones
ALEAPP 525 9 days ago An Android Logs Events and Protobuf Parser
ArtEx Artifact Examiner for iOS Full File System extractions
iLEAPP 750 6 days ago An iOS Logs, Events, And Plists Parser
iOS Frequent Locations Dumper 82 about 6 years ago Dump the contents of the StateModel#.archive files located in /private/var/mobile/Library/Caches/com.apple.routined/
MEAT 138 over 4 years ago Perform different kinds of acquisitions on iOS devices
MobSF 17,453 7 days ago An automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis
OpenBackupExtractor 157 almost 3 years ago An app for extracting data from iPhone and iPad backups

Awesome Forensics / Tools / Docker Forensics

dof (Docker Forensics Toolkit) 94 9 months ago Extracts and interprets forensic artifacts from disk images of Docker Host systems
Docker Explorer 529 about 2 months ago Extracts and interprets forensic artifacts from disk images of Docker Host systems

Awesome Forensics / Tools / Internet Artifacts

ChromeCacheView A small utility that reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache
chrome-url-dumper 34 about 7 years ago Dump all local stored infromation collected by Chrome
hindsight 1,087 12 days ago Internet history forensics for Google Chrome/Chromium
IE10Analyzer 14 4 months ago This tool can parse normal records and recover deleted records in WebCacheV01.dat
unfurl 609 about 1 month ago Extract and visualize data from URLs
WinSearchDBAnalyzer 118 4 months ago This tool can parse normal records and recover deleted records in Windows.edb

Awesome Forensics / Tools / Timeline Analysis

DFTimewolf 296 7 days ago Framework for orchestrating forensic collection, processing and data export using GRR and Rekall
plaso 1,734 about 1 month ago Extract timestamps from various files and aggregate them
Timeline Explorer Timeline Analysis tool for CSV and Excel files. Built for SANS FOR508 students
timeliner 36 4 months ago A rewrite of mactime, a bodyfile reader
timesketch 2,615 13 days ago Collaborative forensic timeline analysis

Awesome Forensics / Tools / Disk image handling

Disk Arbitrator 660 9 months ago A Mac OS X forensic utility designed to help the user ensure correct forensic procedures are followed during imaging of a disk device
imagemounter 120 almost 2 years ago Command line utility and Python package to ease the (un)mounting of forensic disk images
libewf 265 3 months ago Libewf is a library and some tools to access the Expert Witness Compression Format (EWF, E01)
PancakeViewer 39 over 4 years ago Disk image viewer based in dfvfs, similar to the FTK Imager viewer
xmount Convert between different disk image formats

Awesome Forensics / Tools / Decryption

hashcat Fast password cracker with GPU support
John the Ripper Password cracker

Awesome Forensics / Tools / Management

Catalyst 350 13 days ago Catalyst is an open source security automation and ticket system
dfirtrack 482 3 months ago Digital Forensics and Incident Response Tracking application, track systems
Incidents 65 almost 2 years ago Web application for organizing non-trivial security investigations. Built on the idea that incidents are trees of tickets, where some tickets are leads
iris 1,079 7 days ago Collaborative Incident Response platform

Awesome Forensics / Tools / Picture Analysis

Ghiro 484 about 8 years ago A fully automated tool designed to run forensics analysis over a massive amount of images
sherloq 2,668 14 days ago An open-source digital photographic image forensic toolset

Awesome Forensics / Tools / Metadata Forensics

ExifTool by Phil Harvey
FOCA 2,979 almost 2 years ago FOCA is a tool used mainly to find metadata and hidden information in the documents

Awesome Forensics / Tools / Steganography

Sonicvisualizer
Steghide 593 9 months ago is a steganography program that hides data in various kinds of image and audio files
Wavsteg 14 almost 7 years ago is a steganography program that hides data in various kinds of image and audio files
Zsteg 1,322 8 months ago A steganographic coder for WAV files

Awesome Forensics / Learn Forensics

Forensic challenges Mindmap of forensic challenges
OpenLearn Digital forensic course
Training material Online training material by European Union Agency for Network and Information Security for different topics (e.g. , )

Awesome Forensics / Learn Forensics / CTFs and Challenges

BelkaCTF CTFs by Belkasoft
CyberDefenders
DefCon CTFs archive of DEF CON CTF challenges
Forensics CTFs 9,867 4 months ago
MagnetForensics CTF Challenge
MalwareTech Challenges
MemLabs 1,659 over 3 years ago
NW3C Chanllenges
Precision Widgets of North Dakota Intrusion
ReverseEngineering Challenges

Awesome Forensics / Resources / Web

ForensicsFocus
Insecstitute Resources
SANS Digital Forensics

Awesome Forensics / Resources / Blogs

Netresec
SANS Forensics Blog
SecurityAffairs blog by Pierluigi Paganini
This Week In 4n6 Weekly updates for forensics
Zena Forensics

Awesome Forensics / Resources / Books

Network Forensics: Tracking Hackers through Cyberspace Learn to recognize hackers’ tracks and uncover network-based evidence
The Art of Memory Forensics Detecting Malware and Threats in Windows, Linux, and Mac Memory
The Practice of Network Security Monitoring Understanding Incident Detection and Response

Awesome Forensics / Resources / File System Corpora

Digital Forensic Challenge Images Two DFIR challenges with images
Digital Forensics Tool Testing Images
The CFReDS Project

Awesome Forensics / Resources / File System Corpora / The CFReDS Project

Hacking Case (4.5 GB NTFS Image)

Awesome Forensics / Resources / Other

/r/computerforensics/ Subreddit for computer forensics
ForensicPosters 435 6 months ago Posters of file system structures
SANS Posters Free posters provided by SANS

Awesome Forensics / Resources / Labs

BlueTeam.Lab 143 over 1 year ago Blue Team detection lab created with Terraform and Ansible in Azure
Android Security 8,207 3 months ago
AppSec 6,329 5 months ago
CTFs 9,867 4 months ago
Hacking 13,185 6 months ago
Honeypots 8,650 3 months ago
Incident-Response 7,678 4 months ago
Infosec 5,205 9 months ago
Malware Analysis 11,981 6 months ago
Pentesting 21,921 27 days ago
Security 12,475 4 months ago
Social Engineering 2,726 over 1 year ago
YARA 3,563 6 days ago

Backlinks from these awesome lists:

More related projects: