Automated Forensic Analysis of Windows Memory Dumps for DFIR.

MemProcFS-Analyzer.ps1 is a PowerShell script utilized to simplify the usage of MemProcFS and to optimize your memory analysis workflow.

Powershell Based tool for gathering information related to O365 intrusions and potential Breaches

Avilla Forensics is a free mobile forensic tool created in February 2021 to assist investigators in collecting information and evidence from mobile devices. Developed by Daniel Avilla, a police officer from São Paulo, the tool provides powerful features for logical data extraction and backup conversion into formats compatible with advanced forensic analysis software, such as IPED and Cellebrite Physical Analyser.

A simple application that extracts your Indicators of Compromise (IoCs) from garbage input and checks their reputation using multiple CTI services.

This project aims to provide a simple and efficient way to check the reputation of your observables using multiple services, without having to deploy a complex solution.

• Cyberbro @ GitHub.

Microsoft Windows DLL Export Browser (Enumerate Exports, COM Methods and Properties) with Advanced Search Features.

DLest is specifically designed to assist developers and malware analysts with the analysis and manipulation of exported functions in Portable Executable (PE) files, particularly DLLs. With DLest, you can easily enumerate exported functions using a variety of methods, including drag and drop, opening a folder, or recursively scanning a folder with regular expression filtering to only include PE files with specific export function names.

Related contents:

• Voici un petit outil Open Source très intéresssant autour de l'analyse de malware et de la rétro-ingénierie @ Laurent M.'s LinkedIn .

Network Analysis Tool.

BruteShark is a Network Forensic Analysis Tool (NFAT) that performs deep processing and inspection of network traffic (mainly PCAP files, but it also capable of directly live capturing from a network interface). It includes: password extracting, building a network map, reconstruct TCP sessions, extract hashes of encrypted passwords and even convert them to a Hashcat format in order to perform an offline Brute Force attack.

Collaborative forensic timeline analysis.

Timesketch is an open-source tool for collaborative forensic timeline analysis. Using sketches you and your collaborators can easily organize your timelines and analyze them all at the same time. Add meaning to your raw data with rich annotations, comments, tags and stars.

A centralized and enhanced memory analysis platform.

VolWeb is a digital forensic memory analysis platform that leverages the power of the Volatility 3 framework. It is dedicated to aiding in investigations and incident responses.

Related contents:

• VolWeb - A centralized and enhanced memory analysis platform @ Laurent M.'s LinkedIn :fr.

PhishTool automatically retrieves all of the relevant metadata from a phishing email, providing you with the most comprehensive technical view of a phishing email possible. This combined with our OSINT and heuristic detection, makes PhishTool one seriously powerful tool.

Open-Source Collaborative Incident Response Platform.
Created by incident responders for incident responders.

Iris is a web collaborative platform aiming to help incident responders sharing technical details during investigations.

• DFIR-IRIS @ GitHub.

The multi-platform memory acquisition tool.

WinPmem has been the default open source memory acquisition driver for windows for a long time. It used to live in the Rekall project, but has recently been separated into its own repository.

Volatility 3: The volatile memory extraction framework
Volatility is the world's most widely used framework for extracting digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

Volatility Memory Forensics - Promoting Accessible Memory Analysis Tools Within the Memory Forensics Community.

Memory analysis has become one of the most important topics to the future of digital investigations, and The Volatility Framework has become the world’s most widely used memory forensics tool - relied upon by law enforcement, military, academia, and commercial investigators around the world. The Volatility Foundation helps keep Volatility going so that it may be used in perpetuity, free and open to all.

Linpmem is a linux memory acquisition tool. Linpmem is a Linux x64-only tool for reading physical memory.

Like its Windows counterpart, Winpmem, this is not a traditional memory dumper. Linpmem offers an API for reading from any physical address, including reserved memory and memory holes, but it can also be used for normal memory dumping. Furthermore, the driver offers a variety of access modes to read physical memory, such as byte, word, dword, qword, and buffer access mode, where buffer access mode is appropriate in most standard cases. If reading requires an aligned byte/word/dword/qword read, Linpmem will do precisely that.

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.

Gitxray (short for Git X-Ray) is a multifaceted security tool designed for use on GitHub repositories. It can serve many purposes, including OSINT and Forensics. gitxray leverages public GitHub REST APIs to gather information that would otherwise be very time-consuming to obtain manually. Additionally, it seeks out information in unconventional places.

• Gixray @ GitHub.
• gitxray: leverages Public GitHub REST APIs for OSINT, Forensics, Pentesting and more @ meterpreter.org.

Stop trying to avoid phishing. Choose a weapon and fight it...

PhishTool gives human analysts the power to reverse engineer phishing emails, to better defend against them. PhishTool is to phishing emails as a disassembler is to malware or a forensic toolkit is to file systems.

A really good DFIR automation for collecting and analyzing evidence designed for cybersecurity professionals.

ForensicMiner, a PowerShell-based DFIR automation tool, revolutionizes the field of digital investigations. Designed for efficiency, it automates artifact and evidence collection from Windows machines. Compatibility with Flacon Crowdstrike RTR and Palo Alto Cortex XDR Live Terminal, along with its swift performance and user-friendly interface, makes ForensicMiner an indispensable asset for investigators navigating the complexities of forensic analysis. Streamlined and effective, this tool sets a new standard in the realm of digital forensics.

The Volatility Foundation is an independent 501(c) (3) non-profit organization that maintains and promotes The Volatility memory forensics framework.

• Volability 3 @ GitHub.

All-in-One malware analysis tool.

All-in-One malware analysis tool for analyze many file types, from Windows binaries to E-Mail files.