Curated list of awesome free (mostly open source) forensic analysis tools and resources.
- AboutDFIR – The Definitive Compendium Project - Collection of forensic resources for learning and research. Offers lists of certifications, books, blogs, challenges and more
- DFIR.Training - Database of forensic resources focused on events, tools and more
- ⭐ ForensicArtifacts.com Artifact Repository - Machine-readable knowledge base of forensic artifacts
- bitscout - LiveCD/LiveUSB for remote forensic acquisition and analysis
- Remnux - Distro for reverse-engineering and analyzing malicious software
- SANS Investigative Forensics Toolkit (sift) - Linux distribution for forensic analysis
- Tsurugi Linux - Linux distribution for forensic analysis
- WinFE - Windows Forensics enviroment
- ⭐Autopsy - SleuthKit GUI
- dff - Forensic framework
- dexter - Dexter is a forensics acquisition framework designed to be extensible and secure
- IntelMQ - IntelMQ collects and processes security feeds
- Kuiper - Digital Investigation Platform
- Laika BOSS - Laika is an object scanner and intrusion detection system
- PowerForensics - PowerForensics is a framework for live disk forensic analysis
- ⭐ The Sleuth Kit - Tools for low level forensic analysis
- turbinia - Turbinia is an open-source framework for deploying, managing, and running forensic workloads on cloud platforms
- IPED - Indexador e Processador de Evidências Digitais - Brazilian Federal Police Tool for Forensic Investigations
- Wombat Forensics - Forensic GUI tool
- grr - GRR Rapid Response: remote live forensics for incident response
- Linux Expl0rer - Easy-to-use live forensics toolbox for Linux endpoints written in Python & Flask
- mig - Distributed & real time digital forensics at the speed of the cloud
- osquery - SQL powered operating system analytics
- UAC - UAC (Unix-like Artifacts Collector) is a Live Response collection tool for Incident Reponse that makes use of built-in tools to automate the collection of Unix-like systems artifacts. Supported systems: AIX, FreeBSD, Linux, macOS, NetBSD, Netscaler, OpenBSD and Solaris.
- Fenrir - Simple Bash IOC Scanner
- Loki - Simple IOC and Incident Response Scanner
- Redline - Free endpoint security tool from FireEye
- THOR Lite - Free IOC and YARA Scanner
- artifactcollector - A customizable agent to collect forensic artifacts on any Windows, macOS or Linux system
- ArtifactExtractor - Extract common Windows artifacts from source images and VSCs
- AVML - A portable volatile memory acquisition tool for Linux
- Belkasoft RAM Capturer - Volatile Memory Acquisition Tool
- CrowdResponse - A static host data collection tool by CrowdStrike
- DFIR ORC - Forensics artefact collection tool for systems running Microsoft Windows
- FastIR Collector - Collect artifacts on windows
- FireEye Memoryze - A free memory forensic software
- LiME - Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, formerly called DMD
- Magnet RAM Capture - A free imaging tool designed to capture the physical memory
- Velociraptor - Velociraptor is a tool for collecting host based state information using Velocidex Query Language (VQL) queries
- dc3dd - Improved version of dd
- dcfldd - Different improved version of dd (this version has some bugs!, another version is on github adulau/dcfldd)
- FTK Imager - Free imageing tool for windows
- ⭐ Guymager - Open source version for disk imageing on linux systems
- bstrings - Improved strings utility
- bulk_extractor - Extracts information such as email addresses, creditcard numbers and histrograms from disk images
- floss - Static analysis tool to automatically deobfuscate strings from malware binaries
- ⭐ photorec - File carving tool
- swap_digger - A bash script used to automate Linux swap analysis, automating swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, etc.
- inVtero.net - High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support
- KeeFarce - Extract KeePass passwords from memory
- MemProcFS - An easy and convenient way of accessing physical memory as files a virtual file system.
- Rekall - Memory Forensic Framework
- volatility - The memory forensic framework
- VolUtility - Web App for Volatility framework
- NetworkMiner - Network Forensic Analysis Tool
- ⭐ WireShark - A network protocol analyzer
- Beagle - Transform data sources and logs into graphs
- FRED - Cross-platform microsoft registry hive editor
- LastActivityView - LastActivityView by Nirsoftis a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer.
- LogonTracer - Investigate malicious Windows logon by visualizing and analyzing Windows event log
- python-evt - Pure Python parser for classic Windows Event Log files (.evt)
- RegRipper3.0 - RegRipper is an open source Perl tool for parsing the Registry and presenting it for analysis
- RegRippy - A framework for reading and extracting useful forensics data from Windows registry hives
- MFT-Parsers - Comparison of MFT-Parsers
- MFTEcmd - MFT Parser by Eric Zimmerman
- MFTExtractor - MFT-Parser
- NTFS journal parser
- NTFS USN Journal parser
- RecuperaBit - Reconstruct and recover NTFS data
- python-ntfs - NTFS analysis
- APFS Fuse - A read-only FUSE driver for the new Apple File System
- mac_apt (macOS Artifact Parsing Tool) - Extracts forensic artifacts from disk images or live machines
- MacLocationsScraper - Dump the contents of the location database files on iOS and macOS
- macMRUParser - Python script to parse the Most Recently Used (MRU) plist files on macOS into a more human friendly format
- OSXAuditor
- OSX Collect
- Andriller - A software utility with a collection of forensic tools for smartphones
- ALEAPP - An Android Logs Events and Protobuf Parser
- ArtEx - Artifact Examiner for iOS Full File System extractions
- iLEAPP - An iOS Logs, Events, And Plists Parser
- iOS Frequent Locations Dumper - Dump the contents of the StateModel#.archive files located in /private/var/mobile/Library/Caches/com.apple.routined/
- MEAT - Perform different kinds of acquisitions on iOS devices
- MobSF - An automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
- OpenBackupExtractor - An app for extracting data from iPhone and iPad backups.
- dof (Docker Forensics Toolkit) - Extracts and interprets forensic artifacts from disk images of Docker Host systems
- Docker Explorer Extracts and interprets forensic artifacts from disk images of Docker Host systems
- ChromeCacheView - A small utility that reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache
- chrome-url-dumper - Dump all local stored infromation collected by Chrome
- hindsight - Internet history forensics for Google Chrome/Chromium
- unfurl - Extract and visualize data from URLs
- DFTimewolf - Framework for orchestrating forensic collection, processing and data export using GRR and Rekall
- ⭐ plaso - Extract timestamps from various files and aggregate them
- Timeline Explorer - Timeline Analysis tool for CSV and Excel files. Built for SANS FOR508 students
- timeliner - A rewrite of mactime, a bodyfile reader
- timesketch - Collaborative forensic timeline analysis
- Disk Arbitrator - A Mac OS X forensic utility designed to help the user ensure correct forensic procedures are followed during imaging of a disk device
- imagemounter - Command line utility and Python package to ease the (un)mounting of forensic disk images
- libewf - Libewf is a library and some tools to access the Expert Witness Compression Format (EWF, E01)
- PancakeViewer - Disk image viewer based in dfvfs, similar to the FTK Imager viewer
- xmount - Convert between different disk image formats
- hashcat - Fast password cracker with GPU support
- John the Ripper - Password cracker
- dfirtrack - Digital Forensics and Incident Response Tracking application, track systems
- Incidents - Web application for organizing non-trivial security investigations. Built on the idea that incidents are trees of tickets, where some tickets are leads
- Ghiro - A fully automated tool designed to run forensics analysis over a massive amount of images
- sherloq - An open-source digital photographic image forensic toolset
- ExifTool by Phil Harvey
- FOCA - FOCA is a tool used mainly to find metadata and hidden information in the documents
- Sonicvisualizer
- Steghide - is a steganography program that hides data in various kinds of image and audio files
- Wavsteg - is a steganography program that hides data in various kinds of image and audio files
- Zsteg - A steganographic coder for WAV files
- Forensic challenges - Mindmap of forensic challenges
- OpenLearn - Digital forensic course
- Training material - Online training material by European Union Agency for Network and Information Security for different topics (e.g. Digital forensics, Network forensics)
- Champlain College DFIR CTF
- Corelight CTF
- CyberDefenders
- DefCon CTFs - archive of DEF CON CTF challenges.
- Forensics CTFs
- MagnetForensics CTF Challenge
- MalwareTech Challenges
- MalwareTraffic Analysis
- MemLabs
- NW3C Chanllenges
- PivotProject
- Precision Widgets of North Dakota Intrusion
- ReverseEngineering Challenges
- Cyberforensicator
- DigitalForensicsMagazine
- FlashbackData
- Netresec
- roDigitalForensics
- SANS Forensics Blog
- SecurityAffairs - blog by Pierluigi Paganini
- thisweekin4n6.wordpress.com - Weekly updates for forensics
- Zena Forensics
more at Recommended Readings by Andrew Case
- Network Forensics: Tracking Hackers through Cyberspace - Learn to recognize hackers’ tracks and uncover network-based evidence
- The Art of Memory Forensics - Detecting Malware and Threats in Windows, Linux, and Mac Memory
- The Practice of Network Security Monitoring - Understanding Incident Detection and Response
- Digital Forensic Challenge Images - Two DFIR challenges with images
- Digital Forensics Tool Testing Images
- FAU Open Research Challenge Digital Forensics
- The CFReDS Project
- @4n6ist
- @aheadless
- @AppleExaminer - Apple OS X & iOS Digital Forensics
- @carrier4n6 - Brian Carrier, author of Autopsy and the Sleuth Kit
- @CindyMurph - Detective & Digital Forensic Examiner
- @forensikblog - Computer forensic geek
- @HECFBlog - SANS Certified Instructor
- @Hexacorn - DFIR+Malware
- @hiddenillusion
- @iamevltwin - Mac Nerd, Forensic Analyst, Author & Instructor of SANS FOR518
- @jaredcatkinson - PowerShell Forensics
- @maridegrazia - Computer Forensics Examiner
- @sleuthkit
- @williballenthin
- @XWaysGuide
Vendors:
- /r/computerforensics/ - Subreddit for computer forensics
- /r/LearnDigitalForensics - Subreddit for learning Digital Forensics
- ForensicPosters - Posters of file system structures
- SANS Posters - Free posters provided by SANS
- Android Security
- AppSec
- CTFs
- Hacking
- Honeypots
- Incident-Response
- Infosec
- Malware Analysis
- Pentesting
- Security
- Social Engineering
- YARA
Pull requests and issues with suggestions are welcome!