awesome-anti-forensic
Forensic evasion toolkit
A curated list of tools and packages used to counter forensic analysis and hide information from digital systems.
Tools and packages that are used for countering forensic activities, including encryption, steganography, and anything that modify attributes. This all includes tools to work with anything in general that makes changes to a system for the purposes of hiding information.
783 stars
16 watching
88 forks
Language: HTML
last commit: 12 months ago
Linked from 2 awesome lists
anti-forensicanti-forensicsantiforensicsawesomeawesome-listcybersecurityforensic-analysissecurity
Awesome-anti-forensic / Tools / System/Digital Image | |||
| Afflib | 80 | 8 months ago | : An extensible open format for the storage of disk images and related forensic.information |
| Air-Imager | : A GUI front-end to dd/dc3dd designed for easily creating forensic images | ||
| Bmap-tools | 231 | about 1 month ago | : Tool for copying largely sparse files using information from a block map file |
| dd | : The dd command allows you to copy all or part of a disk | ||
Awesome-anti-forensic / Tools / System/Digital Image / dd | |||
| Dc3dd | : A patched version of dd that includes a number of features useful for computer forensics | ||
| Dcfldd | : DCFL (DoD Computer Forensics Lab), a dd replacement with hashing | ||
Awesome-anti-forensic / Tools / System/Digital Image | |||
| ddrescue | : GNU data recovery tool | ||
| Dmg2img | 213 | almost 4 years ago | : A CLI tool to uncompress Apple's compressed DMG files to the HFS+ IMG format |
| Frida | 16,220 | 8 days ago | : Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers |
Awesome-anti-forensic / Tools / System/Digital Image / Frida | |||
| Fridump | 751 | 4 months ago | : A universal memory dumper using Frida |
Awesome-anti-forensic / Tools / System/Digital Image | |||
| Imagemounter | 120 | almost 2 years ago | : Command line utility and Python package to ease the (un)mounting of forensic disk images |
Awesome-anti-forensic / Tools / Recovering tool / Memory Extraction | |||
| Extundelete | : Utility for recovering deleted files from ext2, ext3 or ext4 partitions by parsing the journal | ||
| Foremost | 317 | over 1 year ago | : A console program to recover files based on their headers, footers, and internal data structures |
| MagicRescue | 8 | about 3 years ago | : Find and recover deleted files on block devices |
| MemDump | 12 | over 6 years ago | : Dumps system memory to stdout, skipping over holes in memory maps |
| MemFetch | 40 | almost 7 years ago | : Simple utility that can be used to dump process memory of any userspace process running on the system without affecting its execution |
| Mxtract | 582 | about 3 years ago | : Memory Extractor & Analyzer |
| Recoverjpeg | 77 | almost 2 years ago | : Recover jpegs from damaged devices |
| SafeCopy | : A disk data recovery tool to extract data from damaged media | ||
| Scrounge-Ntfs | 11 | almost 8 years ago | : Data recovery program for NTFS file systems |
| TestDisk & PhotoRec | 1,665 | 3 months ago | : TestDisk checks the partition and boot sectors of your disks. It is very useful in recovering lost partitions. PhotoRec is file data recovery software designed to recover lost pictures from digital camera memory or even hard disks. It has been extended to search also for non audio/video headers |
Awesome-anti-forensic / Tools / Analysis / Gathering tool (Know your ennemies) | |||
| Autopsy | 2,427 | 2 months ago | : The forensic browser. A GUI for the Sleuth Kit |
| Bulk-extractor | 1,115 | 7 months ago | : Bulk Email and URL extraction tool |
| captipper | 711 | over 1 year ago | : Malicious HTTP traffic explorer tool |
| Chromefreak | 69 | over 9 years ago | : A Cross-Platform Forensic Framework for Google Chrome |
| SkypeFreak | 66 | over 7 years ago | : A Cross Platform Forensic Framework for Skype |
| Dumpzilla | 130 | over 3 years ago | : A forensic tool for firefox |
| Emldump | 2,023 | 19 days ago | : Analyze MIME files |
| Galleta | : Examine the contents of the IE's cookie files for forensic purposes | ||
| Guymager | : A forensic imager for media acquisition | ||
| Indxparse | 216 | about 1 year ago | : A Tool suite for inspecting NTFS artifacts |
| IOSforensic | 63 | over 10 years ago | : iOS forensic tool |
| IPBA2 | 103 | over 10 years ago | : IOS Backup Analyzer |
| Iphoneanalyzer | 7 | about 9 years ago | : Allows you to forensically examine or recover date from in iOS device |
| LiMEaide | 161 | about 4 years ago | : Remotely dump RAM of a Linux client and create a volatility profile for later analysis on your local host |
| MboxGrep | : A small, non-interactive utility that scans mail folders for messages matching regular expressions. It does matching against basic and extended POSIX regular expressions, and reads and writes a variety of mailbox formats | ||
| Mobiusft | : An open-source forensic framework written in Python/GTK that manages cases and case items, providing an abstract interface for developing extensions | ||
| Naft | : Network Appliance Forensic Toolkit. A Network Forensic Analysis Tool for advanced Network Traffic Analysis, sniffer and packet analyzer | ||
| Nfex | : A tool for extracting files from the network in real-time or post-capture from an offline tcpdump pcap savefile | ||
| Ntdsxtract | 319 | over 2 years ago | [windows]: Active Directory forensic framework |
| Pasco | : Examines the contents of Internet Explorer's cache files for forensic purposes. | | ||
| PcapXray | 1,698 | over 2 years ago | : Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction |
| ReplayProxy | 25 | almost 3 years ago | : Forensic tool to replay web-based attacks (and also general HTTP traffic) that were captured in a pcap file |
| Pdfbook-analyzer | : Utility for facebook memory forensics | ||
| Pdfid | 2,023 | 19 days ago | : Scan a file to look for certain PDF keywords |
| PdfResurrect | 81 | about 2 years ago | : A tool aimed at analyzing PDF documents |
| Peepdf | 1,309 | 3 months ago | : A Python tool to explore PDF files in order to find out if the file can be harmful or not |
| Pev | 3 | over 1 year ago | : Command line based tool for PE32/PE32+ file analysis |
| Rekall | 1,924 | about 4 years ago | : Memory Forensic Framework |
| Recuperabit | 542 | 8 months ago | : A tool for forensic file system reconstruction |
| Rifiuti2 | 143 | 7 months ago | : A rewrite of rifiuti, a great tool from Foundstone folks for analyzing Windows Recycle Bin INFO2 file |
| Rkhunter | : Checks machines for the presence of rootkits and other unwanted tools | ||
| Sleuthkit | 2,630 | 6 days ago | : A library and collection of command line digital forensics tools that allow you to investigate volume and file system data |
| Swap-digger | 513 | over 3 years ago | : A tool used to automate Linux swap analysis during post-exploitation or forensics |
| Vinetto | : A forensics tool to examine Thumbs.db files | ||
| Volafox | 165 | over 8 years ago | : macOS Memory Analysis Toolkit |
| Volatility | 7,343 | over 1 year ago | : Advanced memory forensics framework |
| Xplico | 182 | about 4 years ago | : Internet Traffic Decoder. Network Forensic Analysis Tool (NFAT) |
Awesome-anti-forensic / Tools / Data tampering | |||
| Exiftool | 11,474 | 9 months ago | : Reader and rewriter of EXIF informations that supports raw files |
| Exiv2 | 933 | 4 days ago | : Exif, Iptc and XMP metadata manipulation library and tools |
| nTimetools | 45 | about 3 years ago | : Timestomper and Timestamp checker with nanosecond accuracy for NTFS volumes |
| Scalpel | 627 | 8 months ago | : An open source data carving tool |
| SetMace | 49 | about 10 years ago | : Manipulate timestamps on NTFS |
Awesome-anti-forensic / Tools / Hiding process | |||
| Harness | 9 | over 5 years ago | : Execute ELFs in memory |
| Unhide | : A forensic tool to find processes hidden by rootkits, LKMs or by other techniques | ||
| Kaiser | 86 | almost 6 years ago | : File-less persistence, attacks and anti-forensic capabilities (Windows 7 32-bit) |
| Papa Shango | 5 | about 5 years ago | : Inject code into running processes with ptrace() |
| Saruman | 127 | over 6 years ago | : ELF anti-forensics exec, for injecting full dynamic executables into process image (With thread injection) |
Awesome-anti-forensic / Tools / Cleaner / Data Destruction / Wiping / FileSystem | |||
| BleachBit | 3,085 | 19 days ago | : System cleaner for Windows and Linux |
| ChainSaw | : ChainSaw automates the process of shredding log files and bash history from a system. It is a tool that cleans up the bloody mess you left behind when you went for a stroll behind enemy lines | ||
| Clear-EventLog | : Powershell Command. Clears all entries from specified event logs on the local or remote computers | ||
| DBAN | : Darik's Boot and Nuke ("DBAN") is a self-contained boot image that securely wipes the hard disks of most computers. DBAN is appropriate for bulk or emergency data destruction | ||
| delete-self-poc | 497 | 4 months ago | : A way to delete a locked file, or current running executable, on disk |
| Forensia | 733 | over 1 year ago | : Anti Forensics Tool For Red Teamers, Used For Erasing Footprints In The Post Exploitation Phase |
| Hdparm | : get/set hard disk parameters | ||
| LogKiller | 307 | over 3 years ago | : Clear all your logs in linux/windows servers |
| Meterpreter > clearev | 1,739 | 21 days ago | : The meterpreter clearev command will clear the Application, System, and Security logs on a Windows system |
| NTFS-3G | 989 | 9 months ago | : NTFS-3G Safe Read/Write NTFS Driver |
| Nuke My LUKS | 45 | about 8 years ago | : Network panic button designed to overwrite with random data the LUKS header of computers in a LAN |
| Permanent-Eraser | 22 | about 3 years ago | : Secure file erasing utility for macOS |
| Shred | : Overwrite a file to hide its contents, and optionally delete it | ||
| Silk-guardian | 678 | 10 months ago | : An anti-forensic kill-switch that waits for a change on your usb ports and then wipes your ram, deletes precious files, and turns off your computer |
| Srm | : Srm is a command-line compatible rm which overwrites file contents before unlinking | ||
| Wipe | 48 | almost 2 years ago | : A Unix tool for secure deletion |
| Wipedicks | 129 | almost 5 years ago | : Wipe files and drives securely with randoms ASCII dicks |
| wiper | 73 | almost 2 years ago | : Toolkit to perform secure destruction of sensitive virtual data, temporary files and swap memories |
Awesome-anti-forensic / Tools / Password and Login | |||
| chntpw | : Offline NT Password Editor - reset passwords in a Windows NT SAM user database file | ||
| lazagne | 9,586 | about 1 month ago | : An open source application used to retrieve lots of passwords stored on a local computer |
| Mimipenguin | 3,812 | over 1 year ago | : A tool to dump the login password from the current linux user |
Awesome-anti-forensic / Tools / Encryption / Obfuscation | |||
| BurnEye | 65 | over 12 years ago | : ELF encryption program |
| cryptsetup | : Utility used to conveniently set up disk encryption based on the DMCrypt kernel module | ||
Awesome-anti-forensic / Tools / Encryption / Obfuscation / cryptsetup | |||
| cryptsetup-nuke-password | : Configure a special "nuke password" that can be used to destroy the encryption keys required to unlock the encrypted partitions | ||
Awesome-anti-forensic / Tools / Encryption / Obfuscation | |||
| ELFcrypt | 93 | about 4 years ago | : ELF crypter |
| FreeOTFE | : A free "on-the-fly" transparent disk encryption program for PC & PDAs | ||
| Midgetpack | 197 | over 10 years ago | : Midgetpack is a multiplatform secure ELF packer |
| panic_bcast | 224 | about 3 years ago | : Decentralized opsec panic button operating over UDP broadcasts and HTTP. Provides automatic ejection of encrypted drives as a safe-measure against cold-boot attacks |
| Sherlocked | 104 | about 10 years ago | : Universal script packer-- transforms any type of script into a protected ELF executable, encrypted with anti-debugging |
Awesome-anti-forensic / Tools / Encryption / Obfuscation / Sherlocked | |||
| suicideCrypt | 8 | almost 7 years ago | : A toolset for creating cryptographically strong volumes that destroy themselves upon tampering (event) or via issued command |
Awesome-anti-forensic / Tools / Encryption / Obfuscation | |||
| Tchunt-ng | 52 | about 6 years ago | : Reveal encrypted files stored on a filesystem |
| TrueHunter | 30 | over 3 years ago | : Detect TrueCrypt containers using a fast and memory efficient approach |
Awesome-anti-forensic / Tools / Policies / Logging (Event) / Monitoring | |||
| Auditpol | : Displays information about and performs functions to manipulate audit policies in Windows | ||
| evtkit | 18 | over 8 years ago | : Fix acquired .evt - Windows Event Log files (Forensics) [windows] |
| Grokevt | 10 | 4 months ago | : A collection of scripts built for reading Windows® NT/2K/XP/2K eventlog files. [windows] |
| Lfle | 27 | about 9 years ago | : Recover event log entries from an image by heurisitically looking for record structures |
| python-evtx | 732 | 4 months ago | : A tool to parse the Windows XML Event Log (EVTX) format |
| USBGuard | : Software framework for implementing USB device authorization policies (what kind of USB devices are authorized) as well as method of use policies (how a USB device may interact with the system) | ||
| wecutil | : Enables you to create and manage subscriptions to events that are forwarded from remote computers. The remote computer must support the WS-Management protocol. [windows] | ||
| Wevtutil | : Enables you to retrieve information about event logs and publishers. You can also use this command to install and uninstall event manifests, to run queries, and to export, archive, and clear logs (windows server) | ||
Awesome-anti-forensic / Tools / Steganography | |||
| AudioStego | 268 | over 1 year ago | : Hides text or files inside audio files and retrieve them automatically |
| ChessSteg | 87 | about 3 years ago | : Steganography in chess games |
| Cloakify | 1,558 | almost 4 years ago | : Transforms any filetype into a list of harmless-looking strings. This lets you hide the file in plain sight, and transfer the file without triggering alerts |
| Jsteg | 609 | over 1 year ago | : jsteg is a package for hiding data inside jpeg files |
| Mp3nema | 8 | over 11 years ago | : A tool aimed at analyzing and capturing data that is hidden between frames in an MP3 file or stream, otherwise noted as "out of band" data |
| PacketWhisper | 623 | over 3 years ago | : Stealthily exfiltrate data and defeat attribution using DNS queries and text-based steganography |
| steg86 | 287 | 10 days ago | : Format-agnostic steganographic tool for x86 and AMD64 binaries. You can use it to hide information in compiled programs, regardless of executable format (PE, ELF, Mach-O, raw, &c) |
| steganography | 997 | 7 months ago | : Simple C++ Image Steganography tool to encrypt and hide files insde images using Least-Significant-Bit encoding |
| Steganography | 572 | about 1 month ago | : Least Significant Bit Steganography for bitmap images (.bmp and .png), WAV sound files, and byte sequences |
| StegaStamp | 693 | 12 months ago | : Invisible Hyperlinks in Physical Photographs |
| StegCloak | 3,313 | about 2 months ago | : Hide secrets with invisible characters in plain text securely using passwords |
| Stegdetect | 407 | about 6 years ago | : Automated tool for detecting steganographic content in images |
| StegFS | 26 | over 2 years ago | : A FUSE based steganographic file system |
| Steghide | : Steganography program that is able to hide data in various kinds of image- and audio-files | ||
| Stegify | 1,207 | over 1 year ago | : Go tool for LSB steganography, capable of hiding any file within an image |
| Stego | 266 | over 2 years ago | : stego is a steganographic swiss army knife |
Awesome-anti-forensic / Tools / Steganography / Stego | |||
| StegoGAN | 304 | over 1 year ago | : A tool for creating steganographic images using adversarial training |
Awesome-anti-forensic / Tools / Steganography | |||
| stego-toolkit | 2,403 | almost 2 years ago | : This project is a Docker image useful for solving Steganography challenges as those you can find at CTF platforms |
| StegoVeritas | 358 | over 1 year ago | : Yet another Stego Tool |
| tweetable-polyglot-png | 2,547 | over 3 years ago | : Pack up to 3MB of data into a tweetable PNG polyglot file |
Awesome-anti-forensic / Tools / Malware / AV | |||
| Malheur | 368 | over 5 years ago | : A tool for the automatic analyze of malware behavior |
| MalwareDetect | 1,201 | about 1 year ago | : Submits a file's SHA1 sum to VirusTotal to determine whether it is a known piece of malware |
Awesome-anti-forensic / Tools / OS/VM | |||
| HiddenVM | 2,356 | 4 months ago | : Use any desktop OS without leaving a trace |
| Tails | : portable operating system that protects against surveillance and censorship | ||
Awesome-anti-forensic / Tools / Hardware | |||
| BusKill | 157 | 3 months ago | : BusKill is an hardware and software project that uses a hardware tripwire/dead-man-switch to trigger a computer to lock or shutdown if the user is physically separated from their machine |
| Day Tripper | 3,678 | about 1 year ago | : Hide-My-Windows Laser Tripwire |
| DoNotDisturb | 294 | almost 4 years ago | : Security tool for macOS that aims to detect unauthorized physical access to your laptop |
| Silk Guardian | 678 | 10 months ago | : Anti-forensic kill-switch that waits for a change on your usb ports and then wipes your ram, deletes precious files, and turns off your computer |
| USB Kill | 4,442 | 9 months ago | : Anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer |
| USB Death | 126 | over 7 years ago | : Anti-forensic tool that writes udev rules for known usb devices and do some things at unknown usb insertion or specific usb device removal |
| xxUSBSentinel | 64 | almost 2 years ago | : Windows anti-forensics USB monitoring tool |
Awesome-anti-forensic / Tools / Android App | |||
| Lockup | 329 | 5 months ago | : A proof-of-concept Android application to detect and defeat some of the Cellebrite UFED forensic toolkit extraction techniques |
| Ripple | 226 | about 1 month ago | : A "panic button" app for triggering a "ripple effect" across apps that are set up to respond to panic events |
jivoi/awesome-osint
sbilly/awesome-securityMore related projects:
-
mubix/shellshocker-pocs
-
fuzzdb-project/fuzzdb
-
cedowens/c2-jarm
-
klis87/django-cloudinary-storage
-
ahupp/python-magic
-
sroberts/malwarehouse
-
mishudark/s3-parallel-put
-
redhuntlabs/redhunt-os
-
dropbox/rust-brotli
-
buddy-works/dockerfile-linter
-
r-lyeh-archived/bundle
-
progrium/bashstyle
-
haraldk/twelvemonkeys
-
libyal/libewf
-
gentilkiwi/mimikatz