A collection of open source forensics tools
3rd-party lists
- FreeBUF: 安全应急响应工具年末大放送(含下载)
- meirwah/awesome-incident-response - A curated list of tools for incident response
- Bellingcat's Digital Forensics Tools
Suite
- fireeye/rVMI - A New Paradigm For Full System Analysis
- CERTCC/trommel - Sift Through Embedded Device Files to Identify Potential Vulnerable Indicators
- rough007/CDQR - a fast and easy to use forensic artifact parsing tool that works on disk images, mounted drives and extracted artifacts from Windows, Linux and MacOS devices
- biggiesmallsAG/nightHawkResponse - Incident Response Forensic Framework
- google/grr -Rapid Response: remote live forensics for incident response
- davehull/Kansa - A Powershell incident response framework
Packet injection
Memory forensics
- gleeda/memtriage - Allows you to quickly query a Windows machine for RAM artifacts
- sevagas/swap_digger - a tool used to automate Linux swap analysis during post-exploitation or forensics
- google/rekall - Rekall Memory Forensic Framework
- ufrisk/MemProcFS - The Memory Process File System
- comaeio/LiveCloudKd - Hyper-V Research is trendy now
- Extracting Activity History from PowerShell Process Dumps - 没给工具,用WinDBG解析powershell内存,提取HistoryInfo
Windows
- comaeio/Hibr2Bin - Comae Hibernation File Decompressor
- ANSSI-FR/bits_parser - Extract BITS jobs from QMGR queue and store them as CSV records
- williballenthin/python-evtx - Pure Python parser for recent Windows Event Log files (.evtx)
- fox-it/danderspritz-evtx - Parse evtx files and detect use of the DanderSpritz eventlogedit module
- PowerShellMafia/CimSweep - a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows
- mgreen27/Powershell-IR - Invoke-LiveResponse
- sysinsider/usbtracker - Quick & dirty coded incident response and forensics python script to track USB devices events and artifacts in a Windows OS (Vista and later)
- gfoss/PSRecon - gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team
- B2dfir/wlrip - WaitList.dat Parser
Mac
- n0fate/chainbreaker - Mac OS X Keychain Forensic Tool
- mdegrazia/OSX-QuickLook-Parser - Parse the Mac Quickook index.sqlite database
- gist: dumpNotificationDB.py
- mac4n6/macMRU-Parser - parse the Most Recently Used (MRU) plist files on macOS into a more human friendly format
- dlcowen/FSEventsParser - Parser for OSX/iOS FSEvents Logs
- ydkhatri/mac_apt - macOS Artifact Parsing Tool
- Yelp/osxcollector - A forensic evidence collection & analysis toolkit for OS X
- pstirparo/mac4n6 - Collection of forensics artifacs location for Mac OS X and iOS
Linux
- sevagas/swap_digger - a tool used to automate Linux swap analysis during post-exploitation or forensics
- JPT - A quick & dirty GPT Partition Editor
- lukdog/backtolife - Memory forensic tool for process resurrection starting from a memory dump
- eurecom-s3/linux_screenshot_xwindows - Volatility plugin to extract X screenshots from a memory dump
Browser
- Busindre/dumpzilla - Extract all forensic interesting information of Firefox, Iceweasel and Seamonkey browsers
- obsidianforensics/hindsight - Internet history forensics for Google Chrome/Chromium
Disk tools
- KBNLresearch/isolyzer - Verify size of ISO 9660 image against Volume Descriptor fields
- ntfsfix - Rescuing a broken NTFS filesystem
Mobile
- andreas-mausch/whatsapp-viewer - Small tool to display chats from the Android msgstore.db database (crypt12)
- B16f00t/whapa - WhatsApp Parser Tool v0.2
- silentsignal/burp-cfurl-cache - iOS CFURL Cache inspector for Burp Suite
Network
Uncategorized
- OSX (Mac) Memory Acquisition and Analysis Using OSXpmem and Volatility
- Mobile Incident Response Overview
- Cache Me If You Can - by 505Forensics
- Advanced smartphone forensics - Apple iCloud: backups, document storage, keychain; BlackBerry 10 backup encryption
- Logs Unite! - Forensic Analysis of Apple Unified Logs - by mac4n6
- DIGITAL FORENSICS – ARTIFACTS OF INTERACTIVE SESSIONS
Artifacts