Skip to content

Latest commit

 

History

History
212 lines (194 loc) · 24.4 KB

README.md

File metadata and controls

212 lines (194 loc) · 24.4 KB

🕵️‍♂️ Computer Forensics

xiosec - Computer-forensics stars - Computer-forensics forks - Computer-forensics GitHub tag License issues - Computer-forensics

Curated list of awesome free forensic analysis tools and resources.


forensics tools


📟 Distributions

Name Descriptions Download
bitscout Bitscout is customizable live OS constructor tool written entirely in bash. It's main purpose is to help you quickly create own remote forensics bootable disk image. github
Remnux REMnux® is a Linux toolkit for reverse-engineering and analyzing malicious software. REMnux provides a curated collection of free tools created by the community. Analysts can use it to investigate malware without having to find, install, and configure the tools. Download
SANS Investigative Forensics Toolkit (sift) Linux distribution for forensic analysis github
Tsurugi Linux Tsurugi Linux is a DFIR open source project that is and will be totally free, independent, without involving any commercial brand Our main goal is share knowledge and "give back to the community" Download
WinFE As a result of this, WinFE will now load on UEFI as well as legacy systems, without changing BIOS settings. This means that devices, such as the Microsoft Surface Pro can be easily forensically imaged. BitLocker is also supported providing that you have access to either the unlock key or password. Download

📔 Frameworks

Name Descriptions Download
Autopsy Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card. Download
dff DFF (Digital Forensics Framework) is a Forensics Framework coming with command line and graphical interfaces. DFF can be used to investigate hard drives and volatile memory and create reports about user and system activities. github
dexter Forensics acquisition framework designed to be extensible and secure. github
IntelMQ IntelMQ is a solution for IT security teams for collecting and processing security feeds using a message queuing protocol. github
Kuiper Kuiper is a digital investigation platform that provides a capabilities for the investigation team and individuals to parse, search, visualize collected evidences (evidences could be collected by fast traige script like Hoarder). github
Laika BOSS Laika BOSS: Object Scanning System. github
PowerForensics PowerForensics provides an all in one platform for live disk forensic analysis. github
The Sleuth Kit The Sleuth Kit® (TSK) is a library and collection of command line digital forensics tools that allow you to investigate volume and file system data. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence. github
turbinia Turbinia is an open-source framework for deploying, managing, and running forensic workloads on cloud platforms github
IPED - Indexador e Processador de Evidências Digitais IPED Digital Forensic Tool. It is an open source software that can be used to process and analyze digital evidence, often seized at crime scenes by law enforcement or in a corporate investigation by private examiners. github
Wombat Forensics Wombat Forensics is a new Forensic Analysis tool built entirely in C and C++. The GUI is built using Qt5, so it may one day work on Windows, Linux and Macintosh systems. github
binwalk Firmware Analysis Tool github

🔬 Memory Forensics

Name Descriptions Download
inVtero.net High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support. github
KeeFarce Extracts passwords from a KeePass 2.x database, directly from memory. github
MemProcFS An easy and convenient way of accessing physical memory as files a virtual file system. github
Rekall Rekall Memory Forensic Framework. github
volatility The Volatility Framework is a completely open collection of tools,implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. github
VolUtility Web App for Volatility framework. github

📡 Network Forensics

Name Descriptions Download
NetworkMiner NetworkMiner is an open source Network Forensic Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD). NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. Download
Wireshark Wireshark is the world’s foremost and widely-used network protocol analyzer. It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions. Download

🔪 Live Forensics

Name Descriptions Download
grr GRR Rapid Response: remote live forensics for incident response. github
Linux Expl0rer Easy-to-use live forensics toolbox for Linux endpoints written in Python & Flask. github
mig Distributed & real time digital forensics at the speed of the cloud. github
osquery SQL powered operating system analytics. github
UAC UAC (Unix-like Artifacts Collector) is a Live Response collection tool for Incident Reponse that makes use of built-in tools to automate the collection of Unix-like systems artifacts. Supported systems: AIX, FreeBSD, Linux, macOS, NetBSD, Netscaler, OpenBSD and Solaris. github

📎 IOC Scanner

Name Descriptions Download
Fenrir Fenrir is a simple IOC scanner bash script. github
Loki Scanner for Simple Indicators of Compromise. github
Redline Redline®, FireEye's premier free endpoint security tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile. Download
THOR Lite THOR Lite includes the file system and process scan module as well as module that extracts “autoruns” information on the different platforms. Download

📷 Imaging

Name Descriptions Download
dc3dd A patch to the GNU dd program, this version has several features intended for forensic acquisition of data. Highlights include hashing on-the-fly, split output files, pattern writing, a progress meter, and file verification. Download
dcfldd dcfldd is an enhanced version of GNU dd with features useful for forensics and security. Download
FTK Imager Free imageing tool for windows. Download
Guymager Open source version for disk imageing on linux systems. Download

🏢 Windows Artifacts

Name Descriptions Download
Beagle Transform data sources and logs into graphs. github
FRED Cross-platform microsoft registry hive editor. Download
LastActivityView LastActivityView by Nirsoftis a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer. Download
LogonTracer Investigate malicious Windows logon by visualizing and analyzing Windows event log. github
python-evt Pure Python parser for classic Windows Event Log files (.evt). github
RegRipper3.0 RegRipper is an open source Perl tool for parsing the Registry and presenting it for analysis. github
RegRippy A framework for reading and extracting useful forensics data from Windows registry hives. github

🍏 OS X Forensics

Name Descriptions Download
APFS Fuse This project is a read-only FUSE driver for the new Apple File System. It also supports software encrypted volumes and fusion drives. Firmlinks are not supported yet. github
mac_apt (macOS Artifact Parsing Tool) mac_apt is a DFIR (Digital Forensics and Incident Response) tool to process Mac computer full disk images (or live machines) and extract data/metadata useful for forensic investigation. github
MacLocationsScraper Dump the contents of the location database files on iOS and macOS. github
macMRUParser Python script to parse the Most Recently Used (MRU) plist files on macOS into a more human friendly format. github
OSXAuditor OS X Auditor is a free Mac OS X computer forensics tool. github
OSX Collect OSXCollector is a forensic evidence collection & analysis toolkit for OSX. github

📱 Mobile Forensics

Name Descriptions Download
Andriller Andriller - is software utility with a collection of forensic tools for smartphones. It performs read-only, forensically sound, non-destructive acquisition from Android devices. github
ALEAPP Android Logs Events And Protobuf Parser. github
ArtEx DoubleBlak Digital Forensics is a Digital Forensics web site aimed at helping forensic examiners. I am Ian Whiffin, an ex-Law Enforcement Officer / Digital Forensics Examiner with a mid-sized municipal police agency. Download
iLEAPP An iOS Logs, Events, And Plists Parser. github
iOS Frequent Locations Dumper Dump the contents of the StateModel#.archive files located in /private/var/mobile/Library/Caches/com.apple.routined/ github
MEAT Perform different kinds of acquisitions on iOS devices. github
MobSF An automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. github
OpenBackupExtractor An app for extracting data from iPhone and iPad backups. github

👮‍♂️ Docker Forensics

Name Descriptions Download
dof (Docker Forensics Toolkit) A toolkit for the post-mortem examination of Docker containers from forensic HDD copies. github
Docker Explorer Extracts and interprets forensic artifacts from disk images of Docker Host systems. github

📸 Picture Analysis

Name Descriptions Download
Ghiro A fully automated tool designed to run forensics analysis over a massive amount of images. Download
sherloq Forensic Image Analysis is the application of image science and domain expertise to interpret the content of an image and/or the image itself in legal matters. github
Image Analyzer is a program that you can use to view and edit image files. The interface of the tool is plain and easy to navigate through. Image Analyzer definitely needs some improvements when it comes to its appearance, since it’s a little outdated. Pictures can be opened via the file browser only, since the “drag and drop” method is not supported. So, you can configure file format options, such as compression level, transparent color key, quality and file size. Download
pngcheck pngcheck verifies the integrity of PNG, JNG and MNG files (by checking the internal 32-bit CRCs, a.k.a. checksums, and decompressing the image data); it can optionally dump almost all of the chunk-level information in the image in human-readable form. For example, it can be used to print the basic statistics about an image (dimensions, bit depth, etc.); to list the color and transparency info in its palette (assuming it has one); or to extract the embedded text annotations. This is a command-line program with batch capabilities. Download

📚 Metadata Forensics

Name Descriptions Download
ExifTool ExifTool is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files. Download
FOCA FOCA is a tool used mainly to find metadata and hidden information in the documents. github

🔎 Steganography

Name Descriptions Download
Sonicvisualizer Sonic Visualiser is a free, open-source application for Windows, Linux, and Mac, designed to be the first program you reach for when want to study a music recording closely. Download
Steghide is a steganography program that hides data in various kinds of image and audio files. github
Wavsteg A steganographic coder for WAV files. github
Zsteg A steganographic coder for WAV files. github
Outguess Outguess is an advanced steganography tool. Outguess will conceal your document inside image (JPG) of your choice. github
Xiao Steganography Xiao Steganography is free software that can be used to hide secret files in BMP images or WAV files. Download
Crypture Crypture is another command-line tool that performs steganography. You can use this tool to hide your sensitive data inside a BMP image file. Download
SteganographX Plus SteganographX Plus is another small tool that lets you hide your confidential data inside a BMP image. Download
rSteg rSteg is a Java-based tool that lets you hide textual data inside an image. It has two buttons: one to encrypt and second to decrypt the text. Download
SSuite Picsel SSuite Picsel is a free portable application to hide text inside an image file. Download
Our Secret Our Secret is another tool that is used to hide sensitive information in a file. Download
Camouflage Camouflage is another steganography tool that lets you hide any type of file inside of a file. Download
OpenStego You can hide data in these files and take output as a PNG file. The same software will be used to reveal data from the output file. It also uses a password to encrypt your data along with hiding inside the image file. This tool is open-source and developed in Java. Download
SteganPEG SteganPEG lets you hide any kind of file in a JPG image file. You can attach any file and give a password to hide inside a JPG file. Download
Hide’N’Send Hide’N’Send is a small utility which offers steganography. Download
exif exif is a small command-line utility to show and change EXIF information in JPEG files. Download
AperiSolve Aperi'Solve is a platform which performs layer analysis on image (open-source). WebPage
Exiv2 Image metadata manipulation tool. Download
Image Steganography Embeds text and files in images with optional encryption. Easy-to-use UI. Download
Pngtools For various analysis related to PNGs. Download
Steganabara Tool for stegano analysis written in Java. Download
stegbreak The stegbreak states a brute-force dictionary attack against the specified JPG images. Download
StegCracker Steganography brute-force utility to uncover hidden data inside files. github
stegextract Detect hidden files and text in images. github

⚙ Management

Name Descriptions Download
dfirtrack Digital Forensics and Incident Response Tracking application, track systems. github
Incidents Web application for organizing non-trivial security investigations. Built on the idea that incidents are trees of tickets, where some tickets are leads. github

🔩 Decryption

Name Descriptions Download
hashcat Fast password cracker with GPU support Download
John the Ripper John the Ripper is an Open Source password security auditing and password recovery tool available for many operating systems. John the Ripper jumbo supports hundreds of hash and cipher types, including for: user passwords of Unix flavors (Linux, *BSD, Solaris, AIX, QNX, etc.), macOS, Windows, "web apps" (e.g., WordPress), groupware (e.g., Notes/Domino), and database servers (SQL, LDAP, etc.); network traffic captures (Windows network authentication, WiFi WPA-PSK, etc.); encrypted private keys (SSH, GnuPG, cryptocurrency wallets, etc.), filesystems and disks (macOS .dmg files and "sparse bundles", Windows BitLocker, etc.), archives (ZIP, RAR, 7z), and document files (PDF, Microsoft Office's, etc.) These are just some of the examples - there are many more. Download

📀 Disk image handling

Name Descriptions Download
Disk Arbitrator A Mac OS X forensic utility designed to help the user ensure correct forensic procedures are followed during imaging of a disk device. github
imagemounter Command line utility and Python package to ease the (un)mounting of forensic disk images. github
libewf Libewf is a library and some tools to access the Expert Witness Compression Format (EWF, E01). github
PancakeViewer Disk image viewer based in dfvfs, similar to the FTK Imager viewer. github
xmount Convert between different disk image formats. Download

📔 resources

Name detail
Learning Network Forensics Learning Network Forensics by packt
Steganography for the Computer Forensics An Overview of Steganography forthe Computer Forensics Examiner
image forensics Learning Rich Features for Image Manipulation Detection.
Docker Forensics Docker Forensics for Containers
memory forensics Learn Windows memory forensics
Smartphone Forensic Smartphone Forensic Analysis In-Depth

License

Released under MIT by @xiosec.