cugu / awesome-forensics

Awesome Forensics Curated list of awesome **free** (mostly open source) forensic analysis tools and resources. • Awesome Forensics • Collections • Tools • Distributions • Frameworks • Live Forensics • IOC Scanner • Acquisition • Imaging • Carving • Memory Forensics • Network Forensics • Windows Artifacts • NTFS/MFT Processing • OS X Forensics • Mobile Forensics • Docker Forensics • Internet Artifacts • Timeline Analysis • Disk image handling • Decryption • Management • Picture Analysis • Metadata Forensics • Steganography • Learn Forensics • CTFs and Challenges • Resources • Web • Blogs • Books • File System Corpora • Other • Labs • Related Awesome Lists • Contributing --- Collections • AboutDFIR – The Definitive Compendium Project - Collection of forensic resources for learning and research. Offers lists of certifications, books, blogs, challenges and more • :star: ForensicArtifacts.com Artifact Repository - Machine-readable knowledge base of forensic artifacts Tools • Forensics tools on Wikipedia • Eric Zimmerman's Tools Distributions • bitscout - LiveCD/LiveUSB for remote forensic acquisition and analysis • Remnux - Distro for reverse-engineering and analyzing malicious software • SANS Investigative Forensics Toolkit (sift) - Linux distribution for forensic analysis • Tsurugi Linux - Linux distribution for forensic analysis • WinFE - Windows Forensics enviroment Frameworks • AIFT - AIFT (AI Forensic Triage) parses evidence using dissect and generates AI-assisted forensic reports. • :star:Autopsy - SleuthKit GUI • dexter - Dexter is a forensics acquisition framework designed to be extensible and secure • dff - Forensic framework • Dissect - Dissect is a digital forensics & incident response framework and toolset that allows you to quickly access and analyse forensic artefacts from various disk and file formats, developed by Fox-IT (part of NCC Group). • hashlookup-forensic-analyser - A tool to analyse files from a forensic acquisition to find known/unknown hashes from hashlookup API or using a local Bloom filter. • IntelMQ - IntelMQ collects and processes security feeds • Kuiper - Digital Investigation Platform • Laika BOSS - Laika is an object scanner and intrusion detection system • OpenRelik - Forensic platform to store file artifacts and run workflows • PowerForensics - PowerForensics is a framework for live disk forensic analysis • TAPIR - TAPIR (Trustable Artifacts Parser for Incident Response) is a multi-user, client/server, incident response framework • :star: The Sleuth Kit - Tools for low level forensic analysis • turbinia - Turbinia is an open-source framework for deploying, managing, and running forensic workloads on cloud platforms • IPED - Indexador e Processador de Evidências Digitais - Brazilian Federal Police Tool for Forensic Investigations • Wombat Forensics - Forensic GUI tool Live Forensics • grr - GRR Rapid Response: remote live forensics for incident response • Linux Expl0rer - Easy-to-use live forensics toolbox for Linux endpoints written in Python & Flask • mig - Distributed & real time digital forensics at the speed of the cloud • osquery - SQL powered operating system analytics • POFR - The Penguin OS Flight Recorder collects, stores and organizes for further analysis process execution, file access and network/socket endpoint data from the Linux Operating System. • UAC - UAC (Unix-like Artifacts Collector) is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts. IOC Scanner • Fastfinder - Fast customisable cross-platform suspicious file finder. Supports md5/sha1/sha256 hashes, literal/wildcard strings, regular expressions and YARA rules • Fenrir - Simple Bash IOC Scanner • Loki - Simple IOC and Incident Response Scanner • Redline - Free endpoint security tool from FireEye • THOR Lite - Free IOC and YARA Scanner • recon - Performance oriented file finder with support for SQL querying, index and analyze file metadata with support for YARA. Acquisition • Acquire - Acquire is a tool to quickly gather forensic artifacts from disk images or a live system into a lightweight container • ALEX - Extract files from ADB devices on Windows, Linux and MacOS. Mostly a wrapper for adbutils. • artifactcollector - A customizable agent to collect forensic artifacts on any Windows, macOS or Linux system • ArtifactExtractor - Extract common Windows artifacts from source images and VSCs • AVML - A portable volatile memory acquisition tool for Linux • Belkasoft RAM Capturer - Volatile Memory Acquisition Tool • DFIR ORC - Forensics artefact collection tool for systems running Microsoft Windows • FastIR Collector - Collect artifacts on windows • FireEye Memoryze - A free memory forensic software • FIT - Forensic acquisition of web pages, emails, social media, etc. • ForensicMiner - A PowerShell-based DFIR automation tool, for artifact and evidence collection on Windows machines. • Fuji - MacOS forensic acquisition made simple. It creates full file system copies or targeted collection of Mac computers. • Hashment - Python forensic tool to analyze, dump, and recover deleted files from YAFFS2 partitions. • LiME - Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, formerly called DMD • Magnet RAM Capture / DumpIt - A free imaging tool designed to capture the physical memory • SPECTR3 - Acquire, triage and investigate remote evidence via portable iSCSI readonly access • TriageHasher - A flexible hashing tool designed for triage collections on Windows, Linux and MacOS. Only hash files with a given extension and location. • UFADE - Extract files from iOS devices on Linux and MacOS. Mostly a wrapper for pymobiledevice3. Creates iTunes-style backups and advanced logical backups. • unix_collector - A live forensic collection script for UNIX-like sys…