forensics-tools.md

opensource-forensics-tools

A collection of open source forensics tools

Collections

3rd-party lists

• FreeBUF: 安全应急响应工具年末大放送（含下载）
• meirwah/awesome-incident-response - A curated list of tools for incident response
• Bellingcat's Digital Forensics Tools

Suite

• fireeye/rVMI - A New Paradigm For Full System Analysis
• CERTCC/trommel - Sift Through Embedded Device Files to Identify Potential Vulnerable Indicators
• rough007/CDQR - a fast and easy to use forensic artifact parsing tool that works on disk images, mounted drives and extracted artifacts from Windows, Linux and MacOS devices
• biggiesmallsAG/nightHawkResponse - Incident Response Forensic Framework
• google/grr -Rapid Response: remote live forensics for incident response
• davehull/Kansa - A Powershell incident response framework

Packet injection

• netresec.com: findject.py - a simple python script that can find injected TCP packets in HTTP sessions, such as the QUANTUMINSERT Man-on-the-Side (MOTS) attacks

Memory forensics

• gleeda/memtriage - Allows you to quickly query a Windows machine for RAM artifacts
• sevagas/swap_digger - a tool used to automate Linux swap analysis during post-exploitation or forensics
• google/rekall - Rekall Memory Forensic Framework
  • toolsmith – Hunting In-Memory Adversaries with Rekall and WinPmem
• ufrisk/MemProcFS - The Memory Process File System
• comaeio/LiveCloudKd - Hyper-V Research is trendy now
• Extracting Activity History from PowerShell Process Dumps - 没给工具，用WinDBG解析powershell内存，提取HistoryInfo

Windows

• comaeio/Hibr2Bin - Comae Hibernation File Decompressor
• ANSSI-FR/bits_parser - Extract BITS jobs from QMGR queue and store them as CSV records
• williballenthin/python-evtx - Pure Python parser for recent Windows Event Log files (.evtx)
• fox-it/danderspritz-evtx - Parse evtx files and detect use of the DanderSpritz eventlogedit module
• PowerShellMafia/CimSweep - a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows
• mgreen27/Powershell-IR - Invoke-LiveResponse
• sysinsider/usbtracker - Quick & dirty coded incident response and forensics python script to track USB devices events and artifacts in a Windows OS (Vista and later)
• gfoss/PSRecon - gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team
• B2dfir/wlrip - WaitList.dat Parser

Mac

• n0fate/chainbreaker - Mac OS X Keychain Forensic Tool
• mdegrazia/OSX-QuickLook-Parser - Parse the Mac Quickook index.sqlite database
• gist: dumpNotificationDB.py
• mac4n6/macMRU-Parser - parse the Most Recently Used (MRU) plist files on macOS into a more human friendly format
• dlcowen/FSEventsParser - Parser for OSX/iOS FSEvents Logs
• ydkhatri/mac_apt - macOS Artifact Parsing Tool
• Yelp/osxcollector - A forensic evidence collection & analysis toolkit for OS X
• pstirparo/mac4n6 - Collection of forensics artifacs location for Mac OS X and iOS

Linux

• sevagas/swap_digger - a tool used to automate Linux swap analysis during post-exploitation or forensics
• JPT - A quick & dirty GPT Partition Editor
• lukdog/backtolife - Memory forensic tool for process resurrection starting from a memory dump
• eurecom-s3/linux_screenshot_xwindows - Volatility plugin to extract X screenshots from a memory dump

Browser

• Busindre/dumpzilla - Extract all forensic interesting information of Firefox, Iceweasel and Seamonkey browsers
• obsidianforensics/hindsight - Internet history forensics for Google Chrome/Chromium

Disk tools

• KBNLresearch/isolyzer - Verify size of ISO 9660 image against Volume Descriptor fields
• ntfsfix - Rescuing a broken NTFS filesystem

Mobile

• andreas-mausch/whatsapp-viewer - Small tool to display chats from the Android msgstore.db database (crypt12)
• B16f00t/whapa - WhatsApp Parser Tool v0.2
• silentsignal/burp-cfurl-cache - iOS CFURL Cache inspector for Burp Suite

Network

• Srinivas11789/PcapXray - A Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction

Uncategorized

• Netflix-Skunkworks/diffy - Diffy is a triage tool used during cloud-centric security incidents, to help digital forensics and incident response (DFIR) teams quickly identify suspicious hosts on which to focus their response

Tutorials

• OSX (Mac) Memory Acquisition and Analysis Using OSXpmem and Volatility
• Mobile Incident Response Overview
• Cache Me If You Can - by 505Forensics
• Advanced smartphone forensics - Apple iCloud: backups, document storage, keychain; BlackBerry 10 backup encryption
• Logs Unite! - Forensic Analysis of Apple Unified Logs - by mac4n6
• DIGITAL FORENSICS – ARTIFACTS OF INTERACTIVE SESSIONS

Other resources

Artifacts

• iOS Forensics Artifacts v0.1
• Mac OS X Forensics Artifacts