.svg){kind=icon}
PhishTool automatically retrieves all of the relevant metadata from a phishing email, providing you with the most comprehensive technical view of a phishing email possible. This combined with our OSINT and heuristic detection, makes PhishTool one seriously powerful tool.
Open-Source Collaborative Incident Response Platform.
Created by incident responders for incident responders.
Iris is a web collaborative platform aiming to help incident responders sharing technical details during investigations.
The multi-platform memory acquisition tool.
WinPmem has been the default open source memory acquisition driver for windows for a long time. It used to live in the Rekall project, but has recently been separated into its own repository.
Volatility 3: The volatile memory extraction framework
Volatility is the world's most widely used framework for extracting digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.
Volatility Memory Forensics - Promoting Accessible Memory Analysis Tools Within the Memory Forensics Community.
Memory analysis has become one of the most important topics to the future of digital investigations, and The Volatility Framework has become the world’s most widely used memory forensics tool - relied upon by law enforcement, military, academia, and commercial investigators around the world. The Volatility Foundation helps keep Volatility going so that it may be used in perpetuity, free and open to all.
Linpmem is a linux memory acquisition tool. Linpmem is a Linux x64-only tool for reading physical memory.
Like its Windows counterpart, Winpmem, this is not a traditional memory dumper. Linpmem offers an API for reading from any physical address, including reserved memory and memory holes, but it can also be used for normal memory dumping. Furthermore, the driver offers a variety of access modes to read physical memory, such as byte, word, dword, qword, and buffer access mode, where buffer access mode is appropriate in most standard cases. If reading requires an aligned byte/word/dword/qword read, Linpmem will do precisely that.
Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
Gitxray (short for Git X-Ray) is a multifaceted security tool designed for use on GitHub repositories. It can serve many purposes, including OSINT and Forensics. gitxray leverages public GitHub REST APIs to gather information that would otherwise be very time-consuming to obtain manually. Additionally, it seeks out information in unconventional places.
Stop trying to avoid phishing. Choose a weapon and fight it...
PhishTool gives human analysts the power to reverse engineer phishing emails, to better defend against them. PhishTool is to phishing emails as a disassembler is to malware or a forensic toolkit is to file systems.
A really good DFIR automation for collecting and analyzing evidence designed for cybersecurity professionals.
ForensicMiner, a PowerShell-based DFIR automation tool, revolutionizes the field of digital investigations. Designed for efficiency, it automates artifact and evidence collection from Windows machines. Compatibility with Flacon Crowdstrike RTR and Palo Alto Cortex XDR Live Terminal, along with its swift performance and user-friendly interface, makes ForensicMiner an indispensable asset for investigators navigating the complexities of forensic analysis. Streamlined and effective, this tool sets a new standard in the realm of digital forensics.
The Volatility Foundation is an independent 501(c) (3) non-profit organization that maintains and promotes The Volatility memory forensics framework.
All-in-One malware analysis tool.
All-in-One malware analysis tool for analyze many file types, from Windows binaries to E-Mail files.
Mobile forensic & Network traffic analysis.
PiRogue tool suite (PTS) is an open-source tool suite that provides a comprehensive mobile forensic and network traffic analysis platform targeting mobile devices both Android and iOS, internet of things devices (devices that are connected to the user mobile apps), and in general any device using wi-fi to connect to the Internet.
Live hunting of code injection techniques.
Memhunter is an endpoint sensor tool that is specialized in detecing resident malware, improving the threat hunter analysis process and remediation times. The tool detects and reports memory-resident malware living on endpoint processes. Memhunter detects known malicious memory injection techniques. The detection process is performed through live analysis and without needing memory dumps. The tool was designed as a replacement of memory forensic volatility plugins such as malfind and hollowfind. The idea of not requiring memory dumps helps on performing the memory resident malware threat hunting at scale, without manual analysis, and without the complex infrastructure needed to move dumps to forensic environments.
Velociraptor is an advanced digital forensic and incident response tool that enhances your visibility into your endpoints.
Velociraptor is a tool for collecting host based state information using The Velociraptor Query Language (VQL) queries.
DFIQ is a collection of Digital Forensics Investigative Questions and the approaches to answering them. The goal of the project is to build a comprehensive catalog of investigative knowledge to help drive consistent, thorough, and explainable investigations.
The goal of pestudio is to spot artifacts of executable files in order to ease and accelerate Malware Initial Assessment. The tool is used by Computer Emergency Response Teams (CERT), Security Operations Centers (SOC) and Digital-Forensic Labs worldwide.
APT-Hunter is Threat Hunting tool for windows event logs which made by purple team mindset to detect APT movements hidden in the sea of windows event logs to decrease the time to uncover suspicious activity . APT-Hunter use pre-defined detection rules and focus on statistics to uncover abnormalities which is very effective in compromise assessment . the output produced with timeline that can be analyzed directly from Excel , Timeline Explorer , Timesketch , etc...
Volatile memory extraction utility framework - An advanced memory forensics framework.
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the
system being investigated but offer visibilty into the runtime state of the system.
A free, community-sourced, machine-readable knowledge base of digital forensic artifacts that the world can use both as an information source and within other tools.
If you'd like to use the artifacts in your own tools, all you need to be able to do is read YAML. That is it, no other dependencies. The Python code in this project is just used to validate all the artifacts to make sure they follow the specification.