DFIR Tools 4 All
This post contains many digital forensics and incident response tools for Endpoints, Cloud vendors, and more. The tools below include open-source, commercials, and other free tools for day-to-day investigation and forensics.
EnCase is a commercial forensics platform. It offers support for evidence collection from over twenty-five different types of devices, including desktops, mobile devices, and GPS. Within the tool, a forensic investigator can inspect the collected data and generate a wide range of reports based on predefined templates.
Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools. Law enforcement, military, and corporate examiners use it to investigate what happens on a computer. You can even use it to recover photos from your camera’s memory card.
The Sleuth Kit is a library and collection of command-line tools that allow you to investigate disk images. The core functionality of TSK allows you to analyze volume and file system data. The library can be incorporated into more comprehensive digital forensics tools, and the command-line tools can be directly used to find evidence.
DFF (Digital Forensics Framework) is a free, open-source computer forensics software built on a dedicated API. It can be used by professional and non-expert people to quickly and easily collect, preserve and reveal digital evidence without compromising systems and data.
Digital Evidence Investigator is a digital forensic tool for Windows, Linux, and macOS (including T2 and M1 chips). DEI collects digital evidence and presents it in a timeline view to tie the user to files and artifacts.
Digital Evidence Investigator PRO is a tool that includes Windows, Linux, and macOS (including T2 and M1) computer forensic capabilities of Digital Evidence Investigator and Mobile Device Investigator iOS/Android capabilities in a single license.
AccessData Forensic Toolkit (FTK) is built for speed, stability, and ease of use. It provides comprehensive processing and indexing up front, so filtering and searching are faster than with any other product. This means you can quickly zero in on the relevant evidence, dramatically increasing your analysis speed.
Guymager is a free forensic imager for media acquisition. Its main features are straightforward user interfaces in different languages. Fast due to multi-threaded, pipelined design and multi-threaded data compression. Generates flat, EWF, and AFF images and supports disk cloning. Free of charge, completely open-source.
Redline is FireEye’s premier accessible endpoint security tool, which provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile. It collects information about running processes on a host and drivers from memory.
Paraben’s Electronic Evidence Examiner is a comprehensive digital forensic platform designed to handle more data more efficiently while adhering to Paraben’s paradigm of specialized focus on the entire forensic exam process. Paraben has desktop forensics, Email forensics, Cloud analysis, IoT forensics, and Triage and visualization capabilities.
Bulk Extractor is a program that extracts features such as email addresses, credit card numbers, URLs, and other types of information from digital evidence files. It is a proper forensic investigation tool for many tasks, such as malware and intrusion investigations, identity investigations, and cyber investigations, as well as analyzing imagery and password cracking.
Registry Recon is a powerful computer forensics tool developed by Arsenal Recon. The tool extracts, recovers, and parses registry data from Windows systems. The process of manually scouring Windows Registry files proves to be highly time-consuming and leaves gaps in the ability to recover critical information.
Volatility is the memory forensics framework. It is used for incident response and malware analysis. This tool can extract information from running processes, network sockets, connections, DLLs, and registry hives. It also supports extracting information from Windows crash dump and hibernation files.
WindowsSCOPE is commercial memory forensics and reverses engineering tools for analyzing volatile memory. It provides the ability to analyze the Windows kernel, drivers, DLLs, and virtual and physical memory. It is used for reverse engineering malware.
Network Miner is an open-source Network Forensic Analysis Tool for Windows and Linux, macOS X, and FreeBSD. NetworkMiner can be used as a passive network sniffer/packet-capturing tool to detect operating systems, sessions, hostnames, and open ports without traffic on the network.
Xplico is an open-source network forensic analysis tool. It extracts valuable data from applications that use the Internet and network protocols. The output data of the tool is stored in an SQLite database or MySQL database. It supports the most popular protocols. It also supports both IPv4 and IPv6.
Oxygen Forensic Detective is a forensic tool that focuses on mobile devices but is capable of extracting data from many different platforms, including mobile, IoT, cloud services, drones, media cards, backups, and desktop platforms. It uses physical methods to bypass device security and collects authentication data for several mobile applications.
XRY is a collection of different commercial tools for mobile device forensics. XRY Logical is a suite of tools designed to interface with the mobile device operating system and extract the desired data. XRY Physical, on the other hand, uses physical recovery techniques to bypass the operating system, enabling analysis of locked devices.
HashKeeper is a central database repository of Forensic Intelligence donated by various sources, usually obtained by law enforcement during forensic investigations of suspect systems.
Forensic Explorer Command Line (FEX CLI) is a forensic data processing engine for computer forensics and electronic discovery. The FEX CLI can be run on a single workstation in an enterprise-level virtual environment spawning multiple simultaneous processing instances.
FEX Memory Imager is a free imaging tool designed to capture a suspect’s running computer’s physical RAM. This allows investigators to recover and analyze valuable artifacts found only in memory.
FEX Imager is a free forensic imaging program that will acquire or hash a bit-level forensic image with full MD5, SHA1, and SHA256 hash authentication. It can acquire a physical drive, logical drive, folders and files, remote devices, or re-acquire a forensic image.
Forensic Explorer is a flexible GUI with advanced sort, filter, keyword search, data recovery, and script technology. It can quickly process large volumes of data, automate complex investigation tasks, produce detailed reports and increase productivity.
DIRTY is an augmenting Decompiler Output with Learned Variable Names and Types developed by the Socio-Technical Research Using Data Excavation Lab at Carnegie Mellon University.
X-Ways Forensics is a commercial digital forensics platform for Windows.
X-Ways Investigator is a smaller version of X-Ways Forensics for police investigators, lawyers, and auditors.
WinHex is a Hex editor, disk editor, and RAM editor. Computer forensics, data recovery, and IT security tool.
F-Response is a remote network drive analysis capability, remote RAM access, and cloud storage access.
Regex is a cross-platform for Windows, Linux, and Mac. It’s a hex editor for reverse engineering and everything else.
PTK Forensics is a computer forensic framework for the command line tools in the SleuthKit, plus much more software modules.
Sparrow is a PowerShell tool developed by CISA’s Cloud Forensics team to detect malicious activities, such as possibly compromised accounts and applications in the Azure or Microsoft Office 365 environment.
AzureHound uses the “Az” Azure PowerShell module and Azure AD PowerShell module for gathering data within Azure and Azure AD. If the modules are not installed, you can use the “-Install” switch to install them. The modules require PowerShell version 5.1 and are more significant. To check your PowerShell version, use “$PSVersionTable.PSVersion”.
The Hawk PowerShell module scans the Office 365 audit log, gathers all the information, and exports the audit log from Office 365. The main goal of Hawk is to retrieve data needed to review and analyze various logs quickly. With Hawk, you can export Office 365 audit logs, search Office 365 audit logs and parse whatever you need from the Office 365 administrator audit log.
The CRT is a free community tool that will help organizations quickly and easily review excessive permissions in their Azure AD environments to help determine configuration weaknesses and provide advice to mitigate this risk.
The AzureADIncidentResponse uses Graph API under the hood to access data, so it starts with obtaining an API access token. Once the token has been received, we can call a resource, returning the data.
AWS_IR. This is a Python-installable command-line interface that automates initial response actions. It has two built-in commands, key-compromise, and instance-compromise, with some plugin options. As the name implies, key compromise disables and revokes compromised access keys for you.
Margarita Shotgun is a Python command-line tool that allows you to pull memory from one or more systems in your AWS environment.
SIFT Workstation is a collection of free and open-source incident response and forensic tools designed to perform detailed digital forensic examinations in various settings. It can match any current incident response and forensic tool suite.
Diffy is a digital forensics and incident response (DFIR) tool developed by Netflix’s Security Intelligence and Response Team (SIRT).
GDPatrol is a SOAR Framework for AWS GuardDuty. The GDPatrol Lambda function receives the GuardDuty findings through the CloudWatch Event Rule and executes the appropriate actions to mitigate the threats according to their types and severity.
AWSLOG is a tool to show the history and changes between configuration versions of AWS resources.
Scout Suite is an open-source multi-cloud security-auditing tool that enables security posture assessment of cloud environments. Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection and highlights risk areas.
DumpsterDiver is a tool that can analyze enormous volumes of data in search of hardcoded secrets like keys or passwords. Additionally, it allows the creation of search rules with primary conditions.
Azure AD Incident Response PowerShell module provides several tools developed by the Azure Active Directory Product Group in conjunction with the Microsoft Detection and Response Team (DART) to assist in compromise response.
Mandiant Azure AD Investigator is a PowerShell module for detecting artifacts that may be indicators of UNC2452 and other threat actor activity. Some are “high-fidelity” indicators of compromise, while others are so-called “dual-use” artifacts.
GlusterFS is a free and open-source, scalable network filesystem. Gluster is a scalable network filesystem. Using standard off-the-shelf hardware, you can create large, distributed storage solutions for media streaming, data analysis, and other data- and bandwidth-intensive tasks.
Ceph is a software-defined storage solution to data centers’ object, block, and file storage needs, adopting open source as the new norm for high-growth block storage, object stores, and data lakes. Ceph provides scalable enterprise storage while keeping CAPEX and OPEX costs in line with underlying bulk commodity disk prices.
Hadoop Distributed File System (HDFS) is a distributed file system that handles large data sets running on commodity hardware. It is used to scale a single Apache Hadoop cluster to hundreds (and even thousands) of nodes. HDFS is one of the major components of Apache Hadoop, the others being MapReduce and YARN.
ZFS is an enterprise-ready open-source file system and volume manager with unprecedented flexibility and an uncompromising commitment to data integrity.
OpenZFS is an open-source storage platform. It includes the functionality of both traditional file systems and volume managers. Its many advanced features include protection against data corruption, integrity checking for data and metadata, continuous integrity verification, and automatic “self-healing” repair.
Btrfs is a modern copy-on-write filesystem for Linux aimed at implementing advanced features while focusing on fault tolerance, repair, and easy administration.
Squashfs is a compressed read-only filesystem for Linux. It uses zlib, lz4, lzo, or xz compression to compress files, inodes, and directories. Inodes in the system are very small, and all blocks are packed to minimize data overhead.
Apple File System (APFS) is the default file system for Mac computers using macOS 10.13 or later. Features strong encryption, space sharing, snapshots, fast directory sizing, and improved file system fundamentals.
NTFS(New Technology File System) is the primary file system for recent versions of Windows and Windows Server—it provides a complete set of features, including security descriptors, encryption, disk quotas, and rich metadata. It can be used with Cluster Shared Volumes to provide continuously available volumes that can be accessed simultaneously from multiple failover cluster nodes.
exFAT(Extended File Allocation Table ) is the file system that was the successor to FAT32 in the FAT family of file systems. It was optimized for flash memory, such as USB flash drives and SD cards.
HVM (Hardware Virtual Machine) is a virtualization type that allows running an operating system directly on top of a virtual machine without any modification as if it were run on bare-metal hardware.
PV(ParaVirtualization) is an efficient and lightweight virtualization technique introduced by the Xen Project team and later adopted by other virtualization solutions. PV does not require virtualization extensions from the host CPU and thus enables virtualization on hardware architectures that do not support Hardware-assisted virtualization.
Virtualization-based Security (VBS) is a hardware virtualization feature to create and isolate a secure memory region from the standard operating system.
Hypervisor-Enforced Code Integrity (HVCI) is a mechanism whereby a hypervisor, such as Hyper-V, uses hardware virtualization to protect kernel-mode processes against the injection and execution of malicious or unverified code. Code integrity validation is performed in a secure environment resistant to attack from malicious software, and the hypervisor sets page permissions for kernel mode and maintains page permissions.
KVM (for Kernel-based Virtual Machine) is a complete virtualization solution for Linux on x86 hardware containing virtualization extensions. It consists of a loadable kernel module, KVM. Ko provides the core virtualization infrastructure and a processor-specific module, kvm-intel. Ko or kvm-amd. Ko.
QEMU is a fast processor emulator using a portable dynamic translator. QEMU emulates an entire system, including a processor and various peripherals. It can be used to launch a different Operating System without rebooting the PC or debugging system code.
VirtManager is a graphical tool for managing virtual machines via libvirt. Most usage is with QEMU/KVM virtual machines, but Xen and libvirt LXC containers are well supported. Everyday operations for any libvirt driver should work.
oVirt is an open-source distributed virtualization solution that manages your entire enterprise infrastructure.
HyperKit is a toolkit for embedding hypervisor capabilities in your application. It is designed to be interfaced with higher-level components such as the VPNKit and DataKit. It includes a complete hypervisor based on xhyve/bhyve, optimized for lightweight virtual machines and container deployment. HyperKit currently only supports macOS using the Hypervisor. Framework making it a core component of Docker Desktop for Mac.
Intel Graphics Virtualization Technology is a complete GPU virtualization solution with mediated pass-through, starting from 4th generation Intel Core (TM) processors with Intel processor graphics. It can be used to virtualize the GPU for multiple guest virtual machines, effectively providing near-native graphics performance in the virtual machine and still letting your host use the virtualized GPU usually.
Apple Hypervisor is a framework that builds virtualization solutions on top of a lightweight hypervisor without third-party kernel extensions. The hypervisor provides C APIs so you can interact with virtualization technologies in user space without writing kernel extensions (KEXTs).
Apple Virtualization Framework is a framework that provides high-level APIs for creating and managing virtual machines on Apple silicon and Intel-based Mac computers. This framework is used to boot and run a Linux-based operating system in a custom environment you define.
Apple Paravirtualized Graphics Framework is a framework that implements hardware-accelerated graphics for macOS running in a virtual machine, hereafter known as the guest. The operating system provides a graphics driver that runs inside the guest, communicating with the framework in the host operating system to take advantage of Metal-accelerated graphics.
Cloud Hypervisor is an open-source Virtual Machine Monitor (VMM) that runs on top of KVM. The project focuses on exclusively running modern cloud workloads on top of a limited set of hardware architectures and platforms. Cloud workloads refer to those that customers inside a cloud provider usually run. Cloud Hypervisor is implemented in Rust and is based on the rust-vmm crates.
VMware vSphere Hypervisor is a bare-metal hypervisor that virtualizes servers, allowing you to consolidate your applications while saving time and money managing your IT infrastructure.
Xen is focused on advancing virtualization in several commercials and open-source applications, including server virtualization, Infrastructure as a Service (IaaS), desktop virtualization, security applications, embedded and hardware appliances, and automotive/aviation.
Ganeti is a virtual machine cluster management tool built on existing virtualization technologies such as Xen, KVM, and other open-source software. Once installed, the tool assumes management of the virtual instances (Xen DomU).
Packer is an open-source tool for creating identical machine images for multiple platforms from a single source configuration. Packer is lightweight, runs on every primary operating system, and is highly performant, creating machine images for multiple platforms in parallel. Packer does not replace configuration management like Chef or Puppet.
A vagrant is a tool for building and managing virtual machine environments in a single workflow. With an easy-to-use workflow and focus on automation, Vagrant lowers development environment setup time, increases production parity, and makes the “works on my machine” excuse a relic of the past.
VMware Workstation is a hosted hypervisor that runs on x64 versions of Windows and Linux operating systems; it enables users to set up virtual machines on a single physical machine and use them simultaneously with the actual machine.
Netdata collects thousands of metrics from systems, hardware, containers, and applications with zero configuration. It runs permanently on all your physical/virtual servers, containers, cloud deployments, and edge/IoT devices and is perfectly safe to install on your systems mid-incident without any preparation.
IDA Pro(Interactive DisAssembler Professional) is a programmable and multi-processor disassembler combined with a local/remote debugger and a complete plugin programming environment. It’s an excellent tool for testing and discovering security vulnerabilities.
Ghidra is a software reverse engineering (SRE) framework developed by NSA’s Research Directorate for NSA’s cybersecurity mission. It helps analyze any malicious code and malware. Provides a better understanding of potential vulnerabilities in their networks and systems.
Emissary is a data-driven workflow engine that runs in a heterogeneous, possibly widely dispersed, multi-tiered P2P network of computing resources. Workflow itineraries are not pre-planned as in conventional workflow engines but are discovered as more information is discovered about the data.
MADCert is a cross-platform tool consisting of a certificate generator, a file system certificate manager, and a command-line interface for testing purposes.
BLESS(Bastion’s Lambda Ephemeral SSH Service) is an SSH Certificate Authority that runs as an AWS Lambda function and is used to sign SSH public keys.
Chaos Monkey is a resiliency tool that helps applications tolerate random instance failures. It is fully integrated with Spinnaker, the continuous delivery platform. Chaos Monkey will work with Spinnaker’s backend.
Priam is a tool/process for backup/recovery, Token Management, and Centralized Configuration management. For Cassandra.
Vector is an on-host performance monitoring framework that exposes “hand-picked high-resolution” metrics to every engineer’s browser.
Control Groups(Cgroups) is a Linux kernel feature that allows you to allocate resources such as CPU time, system memory, network bandwidth, or any combination of these resources for user-defined groups of tasks (processes) running on a system.
Libgcrypt is a cryptographic library originally based on code from GnuPG.
Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker, and analysis tool for 802.11 wireless LANs. It works with any wireless network interface controller whose driver supports raw monitoring mode and can sniff 802.11a, 802.11b, and 802.11g traffic.
Burp Suite is a leading range of cybersecurity tools.
Cilium uses eBPF to accelerate getting data in and out of L7 proxies such as Envoy, enabling efficient visibility into API protocols like HTTP, gRPC, and Kafka.
Hubble is a Network, Service & Security Observability for Kubernetes using eBPF.
Istio is an open platform to connect, manage, and secure microservices. Istio’s control plane provides an abstraction layer over the underlying cluster management platform, such as Kubernetes and Mesos.
Certgen is a convenient tool to generate and store certificates for Hubble Relay mTLS.
Scapy is a python-based interactive packet manipulation program & library.
syzkaller is an unsupervised, coverage-guided kernel fuzzer.
SchedViz is a tool for gathering and visualizing kernel scheduling traces on Linux machines.
Oss-fuzz aims to make standard open-source software more secure and stable by combining modern fuzzing techniques with scalable, distributed execution.
OSSEC is a free, open-source host-based intrusion detection system. It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response.
Metasploit Project is a computer security project that provides information about security vulnerabilities and aids penetration testing and IDS signature development.
Wfuzz was created to facilitate the task in web applications assessments, and it is based on a simple concept: it replaces any reference to the FUZZ keyword with the value of a given payload.
Nmap is a security scanner used to discover hosts and services on a computer network, thus building a “map” of the network.
Patchwork is a web-based patch-tracking system that facilitates contributing and managing contributions to an open-source project.
pfSense is a free, open-source firewall and router that also features unified threat management, load balancing, WAN, and more.
Snort is an open-source, free, lightweight network intrusion detection system (NIDS) software for Linux and Windows to detect emerging threats.
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.
OpenSCAP is a U.S. standard maintained by the National Institute of Standards and Technology (NIST). OpenSCAP maintains great flexibility and interoperability by reducing the costs of performing security audits.
Tink is a multi-language, cross-platform, open-source library that provides secure cryptographic APIs, which are easy to use correctly, and harder to misuse.
OWASP is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in web application security.
Open Vulnerability and Assessment Language is a community effort to standardize how to assess and report on the machine state of computer systems. OVAL includes a language to encode system details and community repositories of content.
Qt Network Authorization is a tool that provides a set of APIs that enable Qt applications to obtain limited access to online accounts and HTTP services without exposing users’ passwords.
cURL is a computer software project providing a library and command-line tool for transferring data using various network protocols. cURL is also used in cars, television sets, routers, printers, audio equipment, mobile phones, tablets, settop boxes, and media players.
cURL Fuzzer is a quality assurance testing for the curl project.
DoH is a stand-alone application for DoH (DNS-over-HTTPS) name resolves and lookups.
Nginx (engine x) is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server, originally written by Igor Sysoev.
Proxmox Virtual Environment(VE) is a complete open-source platform for enterprise virtualization. It includes a built-in web interface to easily manage VMs and containers, software-defined storage and networking, high-availability clustering, and multiple out-of-the-box tools on a single solution.
HTTPie is a command-line HTTP client. Its goal is to make CLI interaction with web services as human-friendly as possible. HTTPie is designed for testing, debugging, and generally interacting with APIs & HTTP servers.
HTTPStat is a tool that visualizes curl statistics in a simple layout.
Wuzz is an interactive cli tool for HTTP inspection. It can inspect/modify requests copied from the browser’s network inspector with the “copy as cURL” feature.