Resources provided by the community that can serve to be useful for Law Enforcement worldwide
- Free Training
- Guides, Publications and Books
- Ransomeware Identification and Decryption Resources
- Malware Analysis
- Reverse Engineering
- Phishing
- Computer Investigations
- Mobile Investigations
- IP Resolution Services
- Email Analysis
- MLA Resources
- End-to-end encrypted messengers
- Self Contained and Darknet Resources
- Resources for CSAM Investigators
- Regular Expressions
- Android Resources
- Contributing to this Project
- NW3C - Online Training - Free online training provided by NW3C. Great for padding the CV with training! US LE only. Outside US LE may have to contact NW3C to ask for access, but I can't promise LE outside of the USA can access the training.
- Texas A&M TEEX - Cybersecurity - Any class with the FEMA logo (A) is free! Stock up on the certificates of completion!
- NIST - Computer Security Incident Handling Guide
- NIST - Guidelines on Mobile Device Forensics
- NIST - Guide to Integrating Forensic Techniques into Incident Response
- NIST - Guide to Malware Incident Prevention and Handling for Desktops and Laptops
- NO MORE RANSOM - Ransomware decryption tools/platform.
- ID Ransomware - Ransomware identification platform.
- Trend Micro Ransomware - Ransomware identification tool specializing in removing ransomware types that perform screen locking.
- Bitdefender Ransomware - Ransomware recognition tool.
- Any.run - Interactive Online Malware Analysis Sandbox - ANY.RUN
- VirusTotal - Analyze suspicious files and URLs to detect types of malware, automatically share them with the security community.
- Hybrid Analysis - Free Automated Malware Analysis Service - powered by Falcon Sandbox.
- Cuckoo Sandbox - Cuckoo Sandbox.
- FlareVM - FLARE VM - a fully customizable, Windows-based security distribution for malware analysis, incident response, penetration testing, etc.
- Joe Sandbox - Joe Sandbox
- Hatching Triage - Malware analysis sandbox designed for cross-platform support (Windows, Android, Linux, and macOS)
- REMnux - A Linux Toolkit for Malware Analysis
- Reverse.it - Web-based malware analysis tool - powered by CrowdStrike Falcon.
- Limon - Malware Analysis Sandbox for analyzing Linux malwares.
- UNPACME - An automated malware unpacking service from OpenAnalysis
- disassembler.io
- PhishTank - PhishTank is a collaborative clearing house for data and information about phishing on the Internet.
- Password Cracking - Mimikatz NTLM Hash Extraction - How to extract the NTLM hash used by Windows for use in password cracking software.
- Password Cracking - Hashcat Brute Force - How to use the brute force attack mode of Hashcat and an explination of what brute force is doing.
- Password Cracking - Hashcat Dictionary + Rules - How to use Hashcat's dictionary attack mode with a rule set.
- NTLM Hash Generator - A short python script to generate NTLM hashs for testing purposes.
- WinDbg Cheat Sheet - Command cheat sheet for WinDbg usage.
- Memory Forensics Cheat Sheet
- REMnux Usage Tips for Malware Analysis on Linux - Useful for knowing the commands and tools to use when analyzing malware using the REMnux VM.
- Malware Analysis and Reverse-Engineering Cheat Sheet - Tips for analyzing and reverse-engineering malware.
- Windows Security Log Events Encyclopedia
- Linux Compromise Assessment Command Cheat Sheet
- Linux Shell Survival Guide - Covers the more useful Linux shell primitives and core utilities.
- Intrusion Discovery Cheat Sheet for Linux - Useful for finding indications of a system compromise.
- mac4n6 - Mac forensics resources
- Mac OS X Forensic Artifact Locations
- SANS FOR518 - Mac & iOS HFS + Filesystem Reference Sheet
- All Possible Pattern Locks - Text files containing all possible pin combinations to 9 chars.
- All Possible 4-Digit PIN codes - Text file containing all possible 4-digit PIN combinations.
- All Possible 5-Digit PIN codes - Text file containing all possible 5-digit PIN combinations.
- All Possible 6-Digit PIN codes - Text file containing all possible 6-digit PIN combinations.
- All Possible 7-Digit PIN codes - Text file containing all possible 7-digit PIN combinations.
- All Possible 8-Digit PIN codes - Text file containing all possible 8-digit PIN combinations.
- Predictability of Android Lock Patterns - Ars Technica artile about Android lock patterns.
- 10 Most Common Pattern Locks - YouTube video about common lock patterns.
- Common lock Patterns Cheat Sheet - From Pinterest/sanketmisal
- Android Pattern Lock - GitHub repo with pattern text files.
- Android Password List - Wordlist for use on DF tools that bruteforce Android passwords.
- MaxMind - Useful for resolving IPs. MaxMind is known for offering better geolocation than most other similar services.
- WhoisXML API - Useful for gathering, analyzing, and correlating domain, IP, and DNS data. Obtain precise geographical data down to the postal code with latitude and longitude coordinates, network information, timezone, connected domains, and more for deeper contextualization.
- UNODC SHERLOC - Legislation, CNA list and treaties.
- Email Header Analyzer - Will make email headers human readable by parsing them according to RFC 822
- DMARC Check Tool - Diagnostic tool that will parse the DMARC Record for the queried domain name, display the DMARC Record, and run a series of diagnostic checks against the record
- UNODC SHERLOC - Legislation, CNA list and treaties.
| Name | URL | iOS | Android | Windows | Mac | Linux | Web |
|---|---|---|---|---|---|---|---|
| BRIAR | https://briarproject.org/ | ? | ? | ? | ? | ? | ? |
| Element | https://element.io/ | ? | ? | ? | ? | ? | ? |
| Jitsi | https://meet.jit.si/ | ? | ? | ? | ? | ? | ? |
| Line | https://line.me/en/ | ? | ? | ? | ? | ? | ? |
| Session | https://getsession.org/ | ? | ? | ? | ? | ? | ? |
| Signal | https://www.signal.org/ | ? | ? | ? | ? | ? | ? |
| Silence | https://silence.im/ | ? | ? | ? | ? | ? | ? |
| Telegram | https://telegram.org/ | ? | ? | ? | ? | ? | ? |
| Threema | https://threema.ch/en/ | ? | ? | ? | ? | ? | ? |
| Tox | https://tox.chat/ | ? | ? | ? | ? | ? | ? |
| Viber | https://www.viber.com/ | ? | ? | ? | ? | ? | ? |
| https://www.whatsapp.com/ | ? | ? | ? | ? | ? | ? | |
| Wickr Me | https://wickr.com/ | ? | ? | ? | ? | ? | ? |
| Wire | https://wire.com/en/ | ? | ? | ? | ? | ? | ? |
| Keybase | https://keybase.io/ | ? | ? | ? | ? | ? | ? |
- TOR - The Onion Router.
.onion
- I2P - The Invisible Internet Project.
.i2p.b32.i2p
- Lokinet - Anonymous Internet Access.
.loki
- ZeroNet - Decentralized websites using Bitcoin cryptography and the BitTorrent network.
.bithttps://zeronet.link/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
- Retroshare - Retroshare establish encrypted connections between you and your friends to create a network of computers, and provides various distributed services on top of it: forums, channels, chat, mail...
- OpenBazaar - A FREE ONLINE MARKETPLACE. NO PLATFORM FEES. NO RESTRICTIONS. EARN CRYPTOCURRENCY.
- Freenet - Freenet is a peer-to-peer platform for censorship-resistant communication and publishing.
- Tails - is a portable operating system that protects against surveillance and censorship.
- Whonix - Software That Can Anonymize Everything You Do Online.
While the mission of combating child sexual abuse is extremely important, it is also important to keep ourselves healthy. The following are a few research papers showing the effects of prolonged exposure to CSAM material.
- Mental health factors from working CSAM - Paper from University of New Hampshire
- Posttraumatic stress among CSAM investigators - Paper from Oxford
- Intimate relationship satisfaction among CSAM investigators - Paper from Frontiers in Public Health
- Tor hidden services (V2 & V3)
[a-z2-7]{16}.onion|[a-z2-7]{56}.onion
- I2P hidden service (b32)
([a-zA-Z0-9]{52}.b32.i2p)
- I2P hidden service (.i2p)
([a-zA-Z0-9]+\.i2p(?<!b32\.i2p))
- Bitcoin address (SegWit & Legacy) (BTC)
([13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})
- Litecoin address (LTC)
[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}
- Ethereum & Ethereum Classic address (ETH & ETC)
0x[a-fA-F0-9]{40}
- Ripple address (XRP)
[0-9a-zA-Z]{24,34}
- Dogecoin address (DOGE)
D{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32}
- Monero address (XMR)
[48][0-9AB][1-9A-HJ-NP-Za-km-z]{93}
- Dash address (DASH)
X[1-9A-HJ-NP-Za-km-z]{33}
The addresses generated below are completely random and are in no way affilated with this repository, do not send money to the addresses listed below!!!
- Bitcoin (Legacy)
1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX
- Bitcoin (SegWit)
bc1qj89046x7zv6pm4n00qgqp505nvljnfp6xfznyw
- Litecoin (Legacy)
LVtdzELRdQDTa35y1bQPKTSvL3TEv1y5Ut
- Ethereum & Ethereum Classic
0xF25228015a2be633a6a60e9cB4643813DAf28AA0
- Ripple
rJiZJRSiseTcKWepsAC6ed6EDbgu2ohPov
- Monero
49fpXfThF8bZwuLADG1WZ57vM8oNEuQGaHyBEomSXaaAZhCQqX6j4E9QNz6cqniBrian3zZhu7UpkD85MbrsrjvwMTxqnqe
- DogeCoin
DJJ2gcQ6WP59Z7mRuGKaW6sbMpcBvGqfoE
- Dash
XcsNx9hSEqDzFZrBrVViiZ8GhYgndBVyEY
Pattern.7z includes an Android Lock Pattern Wordlist taken from over 15,000 actual cases worked. The first 88 patterns should match about 80% of the commonly used lock patterns. Special thanks to Bjoern Kerler for providing this to the DFIR community.
New to GitHub? No problem! Here is a repo that you can test the below instructions on until you're comfortable to contribute to this repo!
Fork this repo by clicking on the Fork button on the top right of this page.
After that, you'll be working off of your Fork of this repository, which is effectively a snapshop in time.
As time goes on, this repository will evolve and your Fork will be left behind if you don't keep it updated. Be sure to Fetch Upstream prior contributing more so you have the most up to date copy of the repository before you starting adding to it!
Above is an example of Fetch Upstream combined with doing a Pull Request, which is what you should do when you have something new to the repo you'd like to add to the main repo.