Skip to content
master
Go to file
Code

Latest commit

UAC tool added to the Live Forensics list.

Signed-off-by: Thiago Lahr <tclahr@br.ibm.com>
20f3f7e

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
Jan 9, 2020
Mar 29, 2016

README.md

Awesome Forensics Link Status

Curated list of awesome free (mostly open source) forensic analysis tools and resources.


Collections

Tools

Distributions

Frameworks

  • dff - Forensic framework
  • dexter - Dexter is a forensics acquisition framework designed to be extensible and secure
  • IntelMQ - IntelMQ collects and processes security feeds
  • Kuiper - Digital Investigation Platform
  • Laika BOSS - Laika is an object scanner and intrusion detection system
  • PowerForensics - PowerForensics is a framework for live disk forensic analysis
  • The Sleuth Kit - Tools for low level forensic analysis
  • turbinia - Turbinia is an open-source framework for deploying, managing, and running forensic workloads on cloud platforms
  • IPED - Indexador e Processador de Evidências Digitais - Brazilian Federal Police Tool for Forensic Investigations

Live Forensics

  • grr - GRR Rapid Response: remote live forensics for incident response
  • Linux Expl0rer - Easy-to-use live forensics toolbox for Linux endpoints written in Python & Flask
  • mig - Distributed & real time digital forensics at the speed of the cloud
  • osquery - SQL powered operating system analytics
  • UAC - Shell script that makes use of built-in tools to automate the collection of system artifacts. Supported systems: AIX, FreeBSD, Linux, macOS, NetBSD, Netscaler, OpenBSD and Solaris.

Acquisition

  • artifactcollector - A customizable agent to collect forensic artifacts on any Windows, macOS or Linux system
  • ArtifactExtractor - Extract common Windows artifacts from source images and VSCs
  • AVML - A portable volatile memory acquisition tool for Linux
  • Belkasoft RAM Capturer - Volatile Memory Acquisition Tool
  • DFIR ORC - Forensics artefact collection tool for systems running Microsoft Windows
  • FastIR Collector - Collect artifacts on windows
  • LiME - Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, formerly called DMD
  • Velociraptor - Velociraptor is a tool for collecting host based state information using Velocidex Query Language (VQL) queries

Imaging

  • dc3dd - Improved version of dd
  • dcfldd - Different improved version of dd (this version has some bugs!, another version is on github adulau/dcfldd)
  • FTK Imager - Free imageing tool for windows
  • Guymager - Open source version for disk imageing on linux systems

Carving

  • bstrings - Improved strings utility
  • bulk_extractor - Extracts information such as email addresses, creditcard numbers and histrograms from disk images
  • floss - Static analysis tool to automatically deobfuscate strings from malware binaries
  • photorec - File carving tool
  • swap_digger - A bash script used to automate Linux swap analysis, automating swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, etc.

Memory Forensics

  • inVtero.net - High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support
  • KeeFarce - Extract KeePass passwords from memory
  • MemProcFS - An easy and convenient way of accessing physical memory as files a virtual file system.
  • Rekall - Memory Forensic Framework
  • volatility - The memory forensic framework
  • VolUtility - Web App for Volatility framework

Windows Artifacts

  • Beagle - Transform data sources and logs into graphs
  • FRED - Cross-platform microsoft registry hive editor
  • LogonTracer - Investigate malicious Windows logon by visualizing and analyzing Windows event log
  • python-evt - Pure Python parser for classic Windows Event Log files (.evt)
  • RegRipper3.0 - RegRipper is an open source Perl tool for parsing the Registry and presenting it for analysis.

NTFS/MFT Processing

OS X Forensics

Mobile Forensics

  • ALEAPP - An Android Logs Events and Protobuf Parser
  • ArtEx - Artifact Examiner for iOS Full File System extractions
  • iLEAPP - An iOS Logs, Events, And Plists Parser
  • MEAT - Perform different kinds of acquisitions on iOS devices

Docker Forensics

Internet Artifacts

  • chrome-url-dumper - Dump all local stored infromation collected by Chrome
  • hindsight - Internet history forensics for Google Chrome/Chromium
  • unfurl - Extract and visualize data from URLs

Timeline Analysis

  • DFTimewolf - Framework for orchestrating forensic collection, processing and data export using GRR and Rekall
  • plaso - Extract timestamps from various files and aggregate them
  • Timeline Explorer - Timeline Analysis tool for CSV and Excel files. Built for SANS FOR508 students
  • timeliner - A rewrite of mactime, a bodyfile reader
  • timesketch - Collaborative forensic timeline analysis

Disk image handling

  • Disk Arbitrator - A Mac OS X forensic utility designed to help the user ensure correct forensic procedures are followed during imaging of a disk device
  • imagemounter - Command line utility and Python package to ease the (un)mounting of forensic disk images
  • libewf - Libewf is a library and some tools to access the Expert Witness Compression Format (EWF, E01)
  • PancakeViewer - Disk image viewer based in dfvfs, similar to the FTK Imager viewer
  • xmount - Convert between different disk image formats

Decryption

Management

  • dfirtrack - Digital Forensics and Incident Response Tracking application, track systems
  • Incidents - Web application for organizing non-trivial security investigations. Built on the idea that incidents are trees of tickets, where some tickets are leads

Picture Analysis

  • sherloq - An open-source digital photographic image forensic toolset

Learn Forensics

CTFs

Resources

Books

more at Recommended Readings by Andrew Case

File System Corpora

Twitter

Vendors:

Blogs

Other

Related Awesome Lists

Contributing

Pull requests and issues with suggestions are welcome!

You can’t perform that action at this time.