awesome-forensics

A curated list of awesome forensic analysis tools and resources

GitHub

4k stars
173 watching
619 forks
last commit: about 18 hours ago
Linked from 10 awesome lists

computer-forensicsdfirdigital-forensicsforensic-analysisfreeopen-source

Awesome Forensics / Collections

AboutDFIR – The Definitive Compendium Project Collection of forensic resources for learning and research. Offers lists of certifications, books, blogs, challenges and more
ForensicArtifacts.com Artifact Repository 1,046 about 2 months ago Machine-readable knowledge base of forensic artifacts

Awesome Forensics / Tools

Forensics tools on Wikipedia
Eric Zimmerman's Tools

Awesome Forensics / Tools / Distributions

bitscout 461 4 months ago LiveCD/LiveUSB for remote forensic acquisition and analysis
Remnux Distro for reverse-engineering and analyzing malicious software
SANS Investigative Forensics Toolkit (sift) 485 8 months ago Linux distribution for forensic analysis
Tsurugi Linux Linux distribution for forensic analysis
WinFE Windows Forensics enviroment

Awesome Forensics / Tools / Frameworks

Autopsy SleuthKit GUI
dexter 124 over 5 years ago Dexter is a forensics acquisition framework designed to be extensible and secure
dff 271 over 4 years ago Forensic framework
Dissect 909 26 days ago Dissect is a digital forensics & incident response framework and toolset that allows you to quickly access and analyse forensic artefacts from various disk and file formats, developed by Fox-IT (part of NCC Group)
hashlookup-forensic-analyser 125 about 1 year ago A tool to analyse files from a forensic acquisition to find known/unknown hashes from API or using a local Bloom filter
IntelMQ 974 26 days ago IntelMQ collects and processes security feeds
Kuiper 760 3 months ago Digital Investigation Platform
Laika BOSS 736 over 1 year ago Laika is an object scanner and intrusion detection system
OpenRelik Forensic platform to store file artifacts and run workflows
PowerForensics 1,384 11 months ago PowerForensics is a framework for live disk forensic analysis
TAPIR 43 over 2 years ago TAPIR (Trustable Artifacts Parser for Incident Response) is a multi-user, client/server, incident response framework
The Sleuth Kit 2,598 4 days ago Tools for low level forensic analysis
turbinia 746 8 days ago Turbinia is an open-source framework for deploying, managing, and running forensic workloads on cloud platforms
IPED - Indexador e Processador de Evidências Digitais 951 4 days ago Brazilian Federal Police Tool for Forensic Investigations
Wombat Forensics 47 3 months ago Forensic GUI tool

Awesome Forensics / Tools / Live Forensics

grr 4,762 16 days ago GRR Rapid Response: remote live forensics for incident response
Linux Expl0rer 407 7 months ago Easy-to-use live forensics toolbox for Linux endpoints written in Python & Flask
mig 1,207 about 5 years ago Distributed & real time digital forensics at the speed of the cloud
osquery 21,798 4 days ago SQL powered operating system analytics
POFR 37 3 months ago The Penguin OS Flight Recorder collects, stores and organizes for further analysis process execution, file access and network/socket endpoint data from the Linux Operating System
UAC 758 about 1 month ago UAC (Unix-like Artifacts Collector) is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts

Awesome Forensics / Tools / IOC Scanner

Fastfinder 230 over 2 years ago Fast customisable cross-platform suspicious file finder. Supports md5/sha1/sha256 hashes, literal/wildcard strings, regular expressions and YARA rules
Fenrir 688 over 2 years ago Simple Bash IOC Scanner
Loki 3,364 7 months ago Simple IOC and Incident Response Scanner
Redline Free endpoint security tool from FireEye
THOR Lite Free IOC and YARA Scanner
recon 30 almost 2 years ago Performance oriented file finder with support for SQL querying, index and analyze file metadata with support for YARA

Awesome Forensics / Tools / Acquisition

Acquire 88 about 1 month ago Acquire is a tool to quickly gather forensic artifacts from disk images or a live system into a lightweight container
artifactcollector 265 12 months ago A customizable agent to collect forensic artifacts on any Windows, macOS or Linux system
ArtifactExtractor 65 over 3 years ago Extract common Windows artifacts from source images and VSCs
AVML 858 11 days ago A portable volatile memory acquisition tool for Linux
Belkasoft RAM Capturer Volatile Memory Acquisition Tool
DFIR ORC Forensics artefact collection tool for systems running Microsoft Windows
FastIR Collector 505 over 3 years ago Collect artifacts on windows
FireEye Memoryze A free memory forensic software
FIT 62 7 days ago Forensic acquisition of web pages, emails, social media, etc
ForensicMiner 148 5 months ago A PowerShell-based DFIR automation tool, for artifact and evidence collection on Windows machines
LiME 1,703 4 months ago Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, formerly called DMD
Magnet RAM Capture / DumpIt A free imaging tool designed to capture the physical memory
SPECTR3 37 about 1 month ago Acquire, triage and investigate remote evidence via portable iSCSI readonly access
UFADE 127 12 days ago Extract files from iOS devices on Linux and MacOS. Mostly a wrapper for pymobiledevice3. Creates iTunes-style backups and advanced logical backups
unix_collector 31 about 2 months ago A live forensic collection script for UNIX-like systems as a single script
Velociraptor 2,906 13 days ago Velociraptor is a tool for collecting host based state information using Velocidex Query Language (VQL) queries
WinTriage Wintriage is a live response tool that extracts Windows artifacts. It must be executed with local or domain administrator privileges and recommended to be done from an external drive

Awesome Forensics / Tools / Imaging

dc3dd Improved version of dd
dcfldd Different improved version of dd (this version has some bugs!, another version is on github )
FTK Imager Free imageing tool for windows
Guymager Open source version for disk imageing on linux systems
4n6pi 16 about 2 months ago Forensic disk imager, designed to run on a Raspberry Pi, powered by libewf

Awesome Forensics / Tools / Carving

bstrings 120 over 1 year ago Improved strings utility
bulk_extractor 1,090 6 months ago Extracts information such as email addresses, creditcard numbers and histrograms from disk images
floss 3,207 4 days ago Static analysis tool to automatically deobfuscate strings from malware binaries
photorec File carving tool
swap_digger 512 over 3 years ago A bash script used to automate Linux swap analysis, automating swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, etc

Awesome Forensics / Tools / Memory Forensics

inVtero.net 278 about 1 year ago High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support
KeeFarce 1,000 almost 9 years ago Extract KeePass passwords from memory
MemProcFS 3,014 12 days ago An easy and convenient way of accessing physical memory as files a virtual file system
Rekall 1,918 almost 4 years ago Memory Forensic Framework
volatility 7,219 over 1 year ago The memory forensic framework
VolUtility 378 about 1 month ago Web App for Volatility framework

Awesome Forensics / Tools / Network Forensics

Kismet 1,570 4 days ago A passive wireless sniffer
NetworkMiner Network Forensic Analysis Tool
Squey Logs/PCAP visualization software designed to detect anomalies and weak signals in large amounts of data
WireShark A network protocol analyzer

Awesome Forensics / Tools / Windows Artifacts

Beagle 1,269 almost 2 years ago Transform data sources and logs into graphs
Blauhaunt 160 6 months ago A tool collection for filtering and visualizing logon events
FRED Cross-platform microsoft registry hive editor
Hayabusa 2,222 5 days ago A a sigma-based threat hunting and fast forensics timeline generator for Windows event logs
LastActivityView LastActivityView by Nirsoftis a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer
LogonTracer 2,710 4 months ago Investigate malicious Windows logon by visualizing and analyzing Windows event log
PyShadow 5 about 2 months ago A library for Windows to read shadow copies, delete shadow copies, create symbolic links to shadow copies, and create shadow copies
python-evt 48 over 1 year ago Pure Python parser for classic Windows Event Log files (.evt)
RegRipper3.0 541 about 2 months ago RegRipper is an open source Perl tool for parsing the Registry and presenting it for analysis
RegRippy 184 12 months ago A framework for reading and extracting useful forensics data from Windows registry hives
MFT-Parsers Comparison of MFT-Parsers
MFTEcmd MFT Parser by Eric Zimmerman
MFTExtractor 14 24 days ago MFT-Parser
MFTMactime 11 over 1 year ago MFT and USN parser that allows direct extraction in filesystem timeline format (mactime), dump all resident files in the MFT in their original folder structure and run yara rules over them all
NTFS journal parser
NTFS USN Journal parser 106 about 2 years ago
RecuperaBit 534 6 months ago Reconstruct and recover NTFS data
python-ntfs 80 almost 7 years ago NTFS analysis

Awesome Forensics / Tools / OS X Forensics

APFS Fuse 1,758 about 2 months ago A read-only FUSE driver for the new Apple File System
mac_apt (macOS Artifact Parsing Tool) 768 29 days ago Extracts forensic artifacts from disk images or live machines
MacLocationsScraper 75 almost 2 years ago Dump the contents of the location database files on iOS and macOS
macMRUParser 100 over 6 years ago Python script to parse the Most Recently Used (MRU) plist files on macOS into a more human friendly format
OSXAuditor 3,126 about 4 years ago
OSX Collect 1,873 over 5 years ago

Awesome Forensics / Tools / Mobile Forensics

Andriller 1,323 over 2 years ago A software utility with a collection of forensic tools for smartphones
ALEAPP 504 25 days ago An Android Logs Events and Protobuf Parser
ArtEx Artifact Examiner for iOS Full File System extractions
iLEAPP 720 12 days ago An iOS Logs, Events, And Plists Parser
iOS Frequent Locations Dumper 77 almost 6 years ago Dump the contents of the StateModel#.archive files located in /private/var/mobile/Library/Caches/com.apple.routined/
MEAT 135 over 4 years ago Perform different kinds of acquisitions on iOS devices
MobSF 17,203 22 days ago An automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis
OpenBackupExtractor 156 almost 3 years ago An app for extracting data from iPhone and iPad backups

Awesome Forensics / Tools / Docker Forensics

dof (Docker Forensics Toolkit) 91 8 months ago Extracts and interprets forensic artifacts from disk images of Docker Host systems
Docker Explorer 523 about 1 year ago Extracts and interprets forensic artifacts from disk images of Docker Host systems

Awesome Forensics / Tools / Internet Artifacts

ChromeCacheView A small utility that reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache
chrome-url-dumper 33 almost 7 years ago Dump all local stored infromation collected by Chrome
hindsight 1,073 5 days ago Internet history forensics for Google Chrome/Chromium
IE10Analyzer 12 3 months ago This tool can parse normal records and recover deleted records in WebCacheV01.dat
unfurl 602 about 1 month ago Extract and visualize data from URLs
WinSearchDBAnalyzer 115 3 months ago This tool can parse normal records and recover deleted records in Windows.edb

Awesome Forensics / Tools / Timeline Analysis

DFTimewolf 290 24 days ago Framework for orchestrating forensic collection, processing and data export using GRR and Rekall
plaso 1,714 6 days ago Extract timestamps from various files and aggregate them
Timeline Explorer Timeline Analysis tool for CSV and Excel files. Built for SANS FOR508 students
timeliner 34 2 months ago A rewrite of mactime, a bodyfile reader
timesketch 2,587 5 days ago Collaborative forensic timeline analysis

Awesome Forensics / Tools / Disk image handling

Disk Arbitrator 657 8 months ago A Mac OS X forensic utility designed to help the user ensure correct forensic procedures are followed during imaging of a disk device
imagemounter 117 over 1 year ago Command line utility and Python package to ease the (un)mounting of forensic disk images
libewf 264 about 2 months ago Libewf is a library and some tools to access the Expert Witness Compression Format (EWF, E01)
PancakeViewer 38 over 4 years ago Disk image viewer based in dfvfs, similar to the FTK Imager viewer
xmount Convert between different disk image formats

Awesome Forensics / Tools / Decryption

hashcat Fast password cracker with GPU support
John the Ripper Password cracker

Awesome Forensics / Tools / Management

Catalyst 338 13 days ago Catalyst is an open source security automation and ticket system
dfirtrack 480 about 1 month ago Digital Forensics and Incident Response Tracking application, track systems
Incidents 65 over 1 year ago Web application for organizing non-trivial security investigations. Built on the idea that incidents are trees of tickets, where some tickets are leads
iris 1,048 4 days ago Collaborative Incident Response platform

Awesome Forensics / Tools / Picture Analysis

Ghiro 479 about 8 years ago A fully automated tool designed to run forensics analysis over a massive amount of images
sherloq 2,637 about 1 month ago An open-source digital photographic image forensic toolset

Awesome Forensics / Tools / Metadata Forensics

ExifTool by Phil Harvey
FOCA 2,930 almost 2 years ago FOCA is a tool used mainly to find metadata and hidden information in the documents

Awesome Forensics / Tools / Steganography

Sonicvisualizer
Steghide 573 8 months ago is a steganography program that hides data in various kinds of image and audio files
Wavsteg 13 almost 7 years ago is a steganography program that hides data in various kinds of image and audio files
Zsteg 1,280 7 months ago A steganographic coder for WAV files

Awesome Forensics / Learn Forensics

Forensic challenges Mindmap of forensic challenges
OpenLearn Digital forensic course
Training material Online training material by European Union Agency for Network and Information Security for different topics (e.g. , )

Awesome Forensics / Learn Forensics / CTFs and Challenges

BelkaCTF CTFs by Belkasoft
CyberDefenders
DefCon CTFs archive of DEF CON CTF challenges
Forensics CTFs 9,715 3 months ago
MagnetForensics CTF Challenge
MalwareTech Challenges
MemLabs 1,639 over 3 years ago
NW3C Chanllenges
Precision Widgets of North Dakota Intrusion
ReverseEngineering Challenges

Awesome Forensics / Resources / Web

ForensicsFocus
Insecstitute Resources
SANS Digital Forensics

Awesome Forensics / Resources / Blogs

Netresec
SANS Forensics Blog
SecurityAffairs blog by Pierluigi Paganini
This Week In 4n6 Weekly updates for forensics
Zena Forensics

Awesome Forensics / Resources / Books

Network Forensics: Tracking Hackers through Cyberspace Learn to recognize hackers’ tracks and uncover network-based evidence
The Art of Memory Forensics Detecting Malware and Threats in Windows, Linux, and Mac Memory
The Practice of Network Security Monitoring Understanding Incident Detection and Response

Awesome Forensics / Resources / File System Corpora

Digital Forensic Challenge Images Two DFIR challenges with images
Digital Forensics Tool Testing Images
The CFReDS Project

Awesome Forensics / Resources / File System Corpora / The CFReDS Project

Hacking Case (4.5 GB NTFS Image)

Awesome Forensics / Resources / Other

/r/computerforensics/ Subreddit for computer forensics
ForensicPosters 433 5 months ago Posters of file system structures
SANS Posters Free posters provided by SANS

Awesome Forensics / Resources / Labs

BlueTeam.Lab 139 over 1 year ago Blue Team detection lab created with Terraform and Ansible in Azure
Android Security 8,099 about 1 month ago
AppSec 6,276 3 months ago
CTFs 9,715 3 months ago
Hacking 12,967 4 months ago
Honeypots 8,520 about 2 months ago
Incident-Response 7,584 3 months ago
Infosec 5,165 8 months ago
Malware Analysis 11,701 4 months ago
Pentesting 21,566 about 22 hours ago
Security 12,322 3 months ago
Social Engineering 2,685 over 1 year ago
YARA 3,515 about 2 months ago

Backlinks from these awesome lists: